Solved: Finding and removing all but one duplicate doc

bruceclarke · ‎02-07-2014

All,

I'm curious, is there an easy way to find all duplicate logs and delete all but one of them?

Thanks!

martin_mueller · ‎02-07-2014

You could do something like this:

base search | streamstats count by _raw | where count > 1

That should select duplicates number 2, 3, and so on. Once you've confirmed that this really is what you're looking for, you can switch to a user with the can_delete role and pipe that to delete.

View solution in original post

martin_mueller · ‎02-07-2014

You could do something like this:

base search | streamstats count by _raw | where count > 1

That should select duplicates number 2, 3, and so on. Once you've confirmed that this really is what you're looking for, you can switch to a user with the can_delete role and pipe that to delete.

Finding and removing all but one duplicate doc

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation