Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to club the messages to remove duplicates

aditsss
Motivator
‎03-04-2021 01:31 PM

Hi Everyone,

I have one panel which consists of data like below:

_raw                                                                                                                                                                                             host

2021-03-04 04:27:13,219 INFO [Server-296] on.c.s.StandardProcessScheduler                     abc.phx.xcp.com

Disabling StandardControllerServiceNode versionedComponentId=null,                                             processGroup=StandardProcessGroup     

 

2021-03-04 04:27:13,219 INFO [Server-296] on.c.s.StandardProcessScheduler                     abc.phx.vpp.com

Disabling StandardControllerServiceNode versionedComponentId=null,                                             processGroup=StandardProcessGroup   

 

The issue I am facing is I want to remove the duplicates on basis of host.

I used dedup but all are removed .

But its not giving me correct value.

Can some one guide me how can I remove duplicates .

Below is my  query:

<query>index=abc sourcetype=xyz source="app.log" info $process_tok1$
| rex field=_raw "(?&lt;id&gt;[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"
| join type=outer id [inputlookup nifi_api_parent_e1.csv]|search $ckey$|eval ClickHere=url|rex field=url mode=sed "s/\\/\\//\\//g s/https:/https:\\//g"|dedup host
| table _time _raw host id parent_chain url
</query>

                                                

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 01:14 AM 
eval _raw=trim(_raw)

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 12:23 AM

Are you sure you want dedup host? Try dedup _raw

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎03-05-2021 12:39 AM

@ITWhisperer 

 

dedup _raw is not working. I am still getting all the logs

Below is my query:

index=abc sourcetype=xyz source="app.log" info $process_tok1$
| rex field=_raw "(?&lt;id&gt;[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"
| join type=outer id [inputlookup nifi_api_parent_e1.csv]|search $ckey$|eval ClickHere=url|rex field=url mode=sed "s/\\/\\//\\//g s/https:/https:\\//g"|dedup _raw
| table _time _raw host id parent_chain url

Can you guide me

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 12:41 AM

Try dedup earlier in the search

index=abc sourcetype=xyz source="app.log" info $process_tok1$
| dedup _raw
| rex field=_raw "(?&lt;id&gt;[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"
| join type=outer id [inputlookup nifi_api_parent_e1.csv]|search $ckey$|eval ClickHere=url|rex field=url mode=sed "s/\\/\\//\\//g s/https:/https:\\//g"
| table _time _raw host id parent_chain url
0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎03-05-2021 12:45 AM

@ITWhisperer 

I tried still getting all:

index=abc sourcetype=xyz source="/var/log/nifi/nifi-app.log" info $process_tok1$|dedup _raw
| rex field=_raw "(?&lt;id&gt;[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"
| join type=outer id [inputlookup nifi_api_parent_e1.csv]|search $ckey$|eval ClickHere=url|rex field=url mode=sed "s/\\/\\//\\//g s/https:/https:\\//g"
| table _time _raw host id parent_chain url

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 01:04 AM

The _raw records look the same - could there be trailing spaces? Try trim(_raw) before the dedup?

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎03-05-2021 01:12 AM

@ITWhisperer 

Is my query correct for trim:

Its not taking the trim

index=abc sourcetype=xyz source="/var/log/nifi/nifi-app.log" info 668c47ec-e848-1d32-ffff-ffff96793d58|trim(_raw) |dedup _raw
| rex field=_raw "(?<id>[A_Za-z0-9]{8}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{4}[\-][A_Za-z0-9]{12})"
| join type=outer id [inputlookup nifi_api_parent_e1.csv]|search |eval ClickHere=url|rex field=url mode=sed "s/\\/\\//\\//g s/https:/https:\\//g"
| table _time _raw host id parent_chain url

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 01:14 AM 
eval _raw=trim(_raw)
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...