Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to find events with duplicate field

barrysvee
New Member
‎07-01-2015 07:21 AM

Our application had a defect in a logging interceptor that led to a field being duplicated in an event but where both values didn't match. I am trying to verify the fix but am having difficulty in coming up with a query.

How can I find all events where a field is listed twice in the same event but where both values are not equal?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 07:57 AM

Like this:

... | eventstats values(BrokenFIeld) dc(BrokenField) AS numDistinctValues count(BrokenField) AS numValues by _serial | where numValues>1 AND numDistinctValues>1
0 Karma
Reply

barrysvee
New Member
‎07-01-2015 08:45 AM

Thank you, that does produce a list of events that shows both BrokenField fields but does not filter to just the ones where both are unequal. If I add a known BrokenField value to the query I do see just the ones with that known value plus the unequal values. I'm losing the events with unequal values in the sea of events where they are correctly equal.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 09:01 AM

Are you sure? The search is pretty sold. The numValues>1 should drop out any events that do not have a multi-valued "BrokenField". The numDistinctValues>1 should drop out any events that do not have more than one value (e.g. that have the same value) for "BrokenField".

In any case, this simpler approach should also work for a 2-value-only case:

... | eval BV1=mvindex(BrokenValue,0) | eval BV2=mvindex(BrokenValue,1) | where isnotnull(BV1) AND isnotnull(BV2) AND BV1!=BV2
0 Karma
Reply

woodcock
Esteemed Legend
‎07-06-2015 09:47 PM

Did this work for you?

0 Karma
Reply

barrysvee
New Member
‎07-07-2015 06:16 AM

In theory it should. I finally got a response back from our infrastructure team stating that either they need to make BrokenValue a multivalue field or I need to use the rex command as part of my query. I'll attempt the latter some time today. Thank you again for your suggestions!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...