Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find events with duplicate field

barrysvee
New Member
‎07-01-2015 07:21 AM

Our application had a defect in a logging interceptor that led to a field being duplicated in an event but where both values didn't match. I am trying to verify the fix but am having difficulty in coming up with a query.

How can I find all events where a field is listed twice in the same event but where both values are not equal?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 07:57 AM

Like this:

... | eventstats values(BrokenFIeld) dc(BrokenField) AS numDistinctValues count(BrokenField) AS numValues by _serial | where numValues>1 AND numDistinctValues>1
0 Karma
Reply

barrysvee
New Member
‎07-01-2015 08:45 AM

Thank you, that does produce a list of events that shows both BrokenField fields but does not filter to just the ones where both are unequal. If I add a known BrokenField value to the query I do see just the ones with that known value plus the unequal values. I'm losing the events with unequal values in the sea of events where they are correctly equal.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2015 09:01 AM

Are you sure? The search is pretty sold. The numValues>1 should drop out any events that do not have a multi-valued "BrokenField". The numDistinctValues>1 should drop out any events that do not have more than one value (e.g. that have the same value) for "BrokenField".

In any case, this simpler approach should also work for a 2-value-only case:

... | eval BV1=mvindex(BrokenValue,0) | eval BV2=mvindex(BrokenValue,1) | where isnotnull(BV1) AND isnotnull(BV2) AND BV1!=BV2
0 Karma
Reply

woodcock
Esteemed Legend
‎07-06-2015 09:47 PM

Did this work for you?

0 Karma
Reply

barrysvee
New Member
‎07-07-2015 06:16 AM

In theory it should. I finally got a response back from our infrastructure team stating that either they need to make BrokenValue a multivalue field or I need to use the rex command as part of my query. I'll attempt the latter some time today. Thank you again for your suggestions!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...