topic Re: How to reverse results of dedup in the same command ? in Splunk Search

How to reverse results of dedup in the same command ?

welcominh — Tue, 25 Jul 2017 14:01:48 GMT

Im having an issue when trying to dedup some values. Here are the logs of servers states im having in Splunk, from the latest to the oldest

1 - UP
2 - UP
3 - UP
4 - UP
5 - DOWN
6 - DOWN
7 - DOWN
8 - DOWN
9 - DOWN

When trying to dedup with dedup state consecutive=true i get the following results :

1 - UP
5 - DOWN

Is there any way to get instead the following results ?

4 - UP
5 - DOWN

That is to say the oldest result for UP values, and the latest for DOWN values.

Thanks in advance !

somesoni2 — Tue, 25 Jul 2017 17:20:28 GMT

You can do this

your base search giving latest to earliest listing of states
| reverse | dedup state consecutive=true

your base search giving latest to earliest listing of states
| dedup state consecutive=true sortby +_time

welcominh — Wed, 26 Jul 2017 07:46:10 GMT

This does not give me the expected result...It is exactly the same problem but reversed...

9 - DOWN
4 - UP