https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114717#M30365 <P>dedup keepempty=t A B<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Dedup">http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Dedup</A></P> <P>My understanding is that dedup on 3 fields finds all matches on any two of them as duplicates. I will cite my source for that in a moment or just provide the results of a test case in support of that assertion, but I remember learning it in a Splunk course and testing it myself for validation.</P> Wed, 29 Apr 2015 02:37:29 GMT landen99 2015-04-29T02:37:29Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114709#M30357 <P>Hi,</P> <P>I want to use the dedup command with more than one criteria.</P> <P>First I used <STRONG>| dedup A</STRONG> and had 100 events afterwards.<BR /> Then I used <STRONG>| dedup A, B</STRONG> and had 70 events afterwards. In my understanding I the number of events should increase, because I've specified the dedup criteria and less duplicates should be identified?! Am I completely wrong?</P> <P>Best</P> <P>Heinz</P> Wed, 15 Jan 2014 09:19:18 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114709#M30357 HeinzWaescher 2014-01-15T09:19:18Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114710#M30358 <P>Does B exist in all your events? IIRC dedup will fail otherwise.</P> Wed, 15 Jan 2014 09:43:48 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114710#M30358 Ayn 2014-01-15T09:43:48Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114711#M30359 <P>Hey Ayn,</P> <P>yes normally it should exist in all events. Is there a command to find out, whether there are events without the field B and to filter them out?</P> <P>Edit:</P> <P>Just tried it out with | sourctype=* AND NOT B= * .<BR /> This results in a few events</P> Wed, 15 Jan 2014 10:50:33 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114711#M30359 HeinzWaescher 2014-01-15T10:50:33Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114712#M30360 <P>Then that's your problem there. You can do <CODE>... | fillnull B | ...</CODE> if you want B with an empty value in events that don't have it. That will make dedup work.</P> Wed, 15 Jan 2014 11:35:28 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114712#M30360 Ayn 2014-01-15T11:35:28Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114713#M30361 <P>Ah, now numbers are changing in the correct direction <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>And when I want to ignore events where the dedup criteria don't exist, I can just use </P> <P>sourcetype=* AND <BR /> A=* AND<BR /> B=* AND</P> <P>| dedup A,B</P> <P>Thanks a lot!</P> Wed, 15 Jan 2014 11:45:03 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114713#M30361 HeinzWaescher 2014-01-15T11:45:03Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114714#M30362 <P>A further question regarding the dedup command:</P> <P>Let's say the fields A &amp; B can appear multiple times in an event.<BR /> For example:</P> <P>Event 1:<BR /> A=1<BR /> A=2<BR /> B=3<BR /> B=4<BR /> timestamp=X</P> <P>Event:2<BR /> A=1<BR /> A=2<BR /> B=3<BR /> B=4<BR /> timestamp=X</P> <P>Event 3:<BR /> A=1<BR /> A=2<BR /> B=3<BR /> B=4<BR /> <STRONG>timestamp=Y</STRONG></P> <PRE><CODE>| dedup A,B,timestamp </CODE></PRE> <P>does this include all field values for A &amp; B and results in two remaining events (event 1 and event 3)?</P> <P>Thanks in advance</P> <P>Heinz</P> Fri, 17 Jan 2014 13:52:23 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114714#M30362 HeinzWaescher 2014-01-17T13:52:23Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114715#M30363 <P>Yes it gives the value till you have something distinct with the above combination.</P> Fri, 17 Jan 2014 14:29:17 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114715#M30363 linu1988 2014-01-17T14:29:17Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114716#M30364 <P>thanks for confirming!</P> Tue, 21 Jan 2014 12:57:41 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114716#M30364 HeinzWaescher 2014-01-21T12:57:41Z https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114717#M30365 <P>dedup keepempty=t A B<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Dedup">http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Dedup</A></P> <P>My understanding is that dedup on 3 fields finds all matches on any two of them as duplicates. I will cite my source for that in a moment or just provide the results of a test case in support of that assertion, but I remember learning it in a Splunk course and testing it myself for validation.</P> Wed, 29 Apr 2015 02:37:29 GMT https://community.splunk.com/t5/Splunk-Search/Dedup-with-multiple-criteria/m-p/114717#M30365 landen99 2015-04-29T02:37:29Z