https://community.splunk.com/t5/Splunk-Search/Report-Dedup/m-p/106627#M27742 <P>martin_muller is essentially right, the solution below might be slightly more efficient, as the <CODE>stats</CODE> is performed on only the smaller set of data. </P> <P><CODE>sourcetype=xxx index=yyy earliest=@d NOT [sourcetype=xxx index=yyy earliest=-1d@d latest=@d | dedup shost | fields + shost] | stats c by shost</CODE></P> <P>The subsearch will execute first and return the distinct set of <CODE>shost</CODE> for the previous day, so that the outer search will effectively be;</P> <P><CODE>sourcetype=xxx index=yyy earliest=@d NOT ((shost=host1) OR (shost=host2) OR (shost=host3)) | stats c by shost</CODE></P> <P>Hope this helps,</P> <P>Kristian</P> Fri, 26 Apr 2013 06:28:29 GMT kristian_kolb 2013-04-26T06:28:29Z https://community.splunk.com/t5/Splunk-Search/Report-Dedup/m-p/106625#M27740 <P>Is there a way to eliminate duplicates by reports? Specifically what I'm looking to do is run a report every 24hrs for X range | stat count by shost. I don't want the report to show any hosts that showed up on the previous report. I know how to eliminate duplicates from a single report but don't know if it's possible to "dedup" on a previously run report.</P> <P>Thanks</P> Thu, 25 Apr 2013 19:00:51 GMT https://community.splunk.com/t5/Splunk-Search/Report-Dedup/m-p/106625#M27740 TucoRameriz 2013-04-25T19:00:51Z https://community.splunk.com/t5/Splunk-Search/Report-Dedup/m-p/106626#M27741 <P>You could do something like this:</P> <PRE><CODE>your report with stat count for the current day | search NOT [query for shost values in the previous day] </CODE></PRE> <P>That will remove rows if the shost value appeared in the previous day... once translated into proper splunk commands of course.</P> Thu, 25 Apr 2013 21:44:38 GMT https://community.splunk.com/t5/Splunk-Search/Report-Dedup/m-p/106626#M27741 martin_mueller 2013-04-25T21:44:38Z https://community.splunk.com/t5/Splunk-Search/Report-Dedup/m-p/106627#M27742 <P>martin_muller is essentially right, the solution below might be slightly more efficient, as the <CODE>stats</CODE> is performed on only the smaller set of data. </P> <P><CODE>sourcetype=xxx index=yyy earliest=@d NOT [sourcetype=xxx index=yyy earliest=-1d@d latest=@d | dedup shost | fields + shost] | stats c by shost</CODE></P> <P>The subsearch will execute first and return the distinct set of <CODE>shost</CODE> for the previous day, so that the outer search will effectively be;</P> <P><CODE>sourcetype=xxx index=yyy earliest=@d NOT ((shost=host1) OR (shost=host2) OR (shost=host3)) | stats c by shost</CODE></P> <P>Hope this helps,</P> <P>Kristian</P> Fri, 26 Apr 2013 06:28:29 GMT https://community.splunk.com/t5/Splunk-Search/Report-Dedup/m-p/106627#M27742 kristian_kolb 2013-04-26T06:28:29Z