Solved: How do we disable dupliacte events to display in ...

rakesh_498115 · ‎06-26-2012

Hi

For Every Search Query i excute . I could see the list of the dupliate events associated with each search query . How can make them disable and display only the unique events associated with my search Query.

I am getting these duplicate events ..since accidently i got the source files indexed twice.I know i can i delete them...but i dnt want to delete..cause it may effect the other search queries..can you pls give me a solution to see the unique events for my search without deleting the dulicate source files...

thanx..

Ayn · ‎06-26-2012

Is both the sourcetype and source exactly the same? Otherwise, you could single out just one of the duplicated sources. Another option would to dedup by the _time or _raw fields.

View solution in original post

yannK · ‎06-26-2012

You can use the command | dedup to keep only one of them. In your case the field can be _raw.

" mysearch | dedup _raw | myotherthingstodolikestats"

Ayn · ‎06-26-2012

Is both the sourcetype and source exactly the same? Otherwise, you could single out just one of the duplicated sources. Another option would to dedup by the _time or _raw fields.

rakesh_498115 · ‎06-26-2012

Thanks .:)

How do we disable dupliacte events to display in the search results

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life