https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144651#M40265 <P>Below is an example of a log file I'm trying to analyse (thousands of entries). I wish to remove duplicate entries based on the <CODE>Acct-Session-Id</CODE>. So I'm using dedup e.g.: source="file1" dedup Acct-Session-Id</P> <P>What I get is; "No results found."</P> <P>Is there something I'm missing? I have tried all suggestions on this forum.</P> <PRE><CODE>Sun Jun 2 23:54:41 2014 Packet-Type = Access-Request Acct-Session-Id = "6885EAB8-8056F22CA0AB-0000016600" Calling-Station-Id = "80-xx-xx-2xx-xx-AB" Called-Station-Id = "00-xx-xx-75-86-D0" Vendor-388-Attr-2 = 0xxxx475726f616d NAS-Port = 1 NAS-Port-Type = Wireless-802.11 </CODE></PRE> Mon, 08 Jun 2015 15:20:38 GMT Scan001 2015-06-08T15:20:38Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144651#M40265 <P>Below is an example of a log file I'm trying to analyse (thousands of entries). I wish to remove duplicate entries based on the <CODE>Acct-Session-Id</CODE>. So I'm using dedup e.g.: source="file1" dedup Acct-Session-Id</P> <P>What I get is; "No results found."</P> <P>Is there something I'm missing? I have tried all suggestions on this forum.</P> <PRE><CODE>Sun Jun 2 23:54:41 2014 Packet-Type = Access-Request Acct-Session-Id = "6885EAB8-8056F22CA0AB-0000016600" Calling-Station-Id = "80-xx-xx-2xx-xx-AB" Called-Station-Id = "00-xx-xx-75-86-D0" Vendor-388-Attr-2 = 0xxxx475726f616d NAS-Port = 1 NAS-Port-Type = Wireless-802.11 </CODE></PRE> Mon, 08 Jun 2015 15:20:38 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144651#M40265 Scan001 2015-06-08T15:20:38Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144652#M40266 <P>hi,<BR /> we must put the pipe before using dedup because dedup is a command<BR /> <CODE>dedup</CODE> Removes the events which contain an identical combination of values for selected fields.<BR /> Also check if the field acc-session_id used by dedup appears in highlight the results.<BR /> because if acc-session_id is a field, it will not work.</P> <P>check and let me know.</P> Mon, 28 Sep 2020 20:11:35 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144652#M40266 gyslainlatsa 2020-09-28T20:11:35Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144653#M40267 <P>Hey,<BR /> Thanks for quick answer, I have tried it with and without the pipe. It does try and run when I use the pipe but returns zero results.</P> <P>Any ideas?</P> Mon, 08 Jun 2015 15:27:36 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144653#M40267 Scan001 2015-06-08T15:27:36Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144654#M40268 <P>when you remove dedup, you have the results?</P> Mon, 08 Jun 2015 15:36:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144654#M40268 gyslainlatsa 2015-06-08T15:36:13Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144655#M40269 <P>Hey.</P> <P>Okay I don't understand the second part of your answer. This may be the source of my problem. What do you mean <BR /> " if the field acc-session_id used by dedup appears in highlight the results. because if acc-session_id is a field....."</P> <P>Apologise if this is a very basic question, I'm a newbe and I'm just getting the hang of the language..</P> Mon, 28 Sep 2020 20:14:25 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144655#M40269 Scan001 2020-09-28T20:14:25Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144656#M40270 <P>hi Scan001 <BR /> Try search code with uniq command</P> <PRE><CODE> source="file1" |table Acct-Session-Id| uniq </CODE></PRE> Mon, 08 Jun 2015 16:23:20 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144656#M40270 chimell 2015-06-08T16:23:20Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144657#M40271 <P>Thanks Chimell,</P> <P>Unfortunately that returns all records and drops none of the duplicates.</P> Mon, 08 Jun 2015 16:34:12 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144657#M40271 Scan001 2015-06-08T16:34:12Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144658#M40272 <P>I just ask to check if the Acct-Session-id field appears in the events and if multiple values<BR /> try this query: <CODE>source="file1" |table Acct-Session-Id |dedup Acct-Session-Id</CODE> an let me know if you have the results.</P> Mon, 08 Jun 2015 16:34:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144658#M40272 gyslainlatsa 2015-06-08T16:34:37Z https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144659#M40273 <P>Yes, it is in every record. I tried your suggestion, but the duplicates are not filtered out, the complete set is returned. </P> <P>Frustrating!</P> Mon, 08 Jun 2015 22:40:05 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-dedup-not-return-any-results/m-p/144659#M40273 Scan001 2015-06-08T22:40:05Z