Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove duplicate events in search results without using DEDUP

horizonsecurity
Explorer
‎11-25-2012 03:27 AM

I'm using *NIX app 4.6, and for auditd logs I have a duplication problem of events. I also checked the raw logs and they are unique.
Is it possible to remove this problem at the source (i.e. with a script or cli) without use the dedup filter in the console at the analysis phase?

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎11-26-2012 05:14 AM

Is it still happening ? I wouldn't bother cleaning up until you've fixed it at source.

Run this :

index=os | streamstats count by _raw _time source sourcetype host | table count _time host source sourcetype _raw

This will show you what is duplicated.

Example :

If you have 3 identical events like this:

2012-11-25 13:01:00 This is a message

You'll see this in the output :

Count  ... .. .. ..   _raw
3      ... .. .. ..   2012-11-25 13:01:00 This is a message
2      ... .. .. ..   2012-11-25 13:01:00 This is a message
1      ... .. .. ..   2012-11-25 13:01:00 This is a message

From here its pretty easy to delete the duplicates

But 1st a word from safety pig :

    _._ _..._ .-',     _.._('))
   '-. '     '  /-._.-'    ',/
      )         \            '.
     / _    _    |             \
    |  a    a    /              |
    \   .-.                     ;  
     '-('' ).-'       ,'       ;
        '-;           |      .'
           \           \    /
           | 7  .__  _.-\   \
           | |  |  ''/  /'  /
          /,_|  |   /,_/   /
             /,_/      ''-'

Backup your index first, then delete from the copy to make sure that this works. There is no 'undo'. Only then run it on your live data.

This will delete your duplicates provided that "_raw _time source sourcetype host" are the fields that should make an event unique:

index=os | streamstats count by _raw _time source sourcetype host | where count > 1 | delete
Reply

orion44
Communicator
‎03-03-2019 07:14 PM

Error in 'delete' command: Missing or malformed messages.conf stanza for DISPATCHCOMM:PREVSTREAM_ERROR__simpleresultcombiner

0 Karma
Reply

fabiocaldas
Contributor
‎01-29-2014 04:06 PM

I'm also having same problem, anyway know how to solve it

Reply

jagadeeshm
Contributor
‎03-31-2017 01:36 PM

Yes, I get the same error!

0 Karma
Reply

BStodd
Engager
‎11-30-2012 04:33 PM

I'm a VERY green splunker, but when I try this command I get this error...

Error in 'delete' command: This command cannot be invoked after the non-streaming command 'streamstats'.

Am I missing something? Thanks for your post!

Reply

horizonsecurity
Explorer
‎11-25-2012 09:22 AM

Is the problem that you have only a single copy of an event in the raw log but you have more than one copy in Splunk?

Yes, this is the issue; 1 raw event <-> 10 splunk console events (more or less)

0 Karma
Reply

reed_kelly
Contributor
‎11-25-2012 07:25 AM

We had an issue with Splunk re-indexing the gzipped versions of the log files. Find a pair of duplicate events and see if the "source" field is the same.

0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎11-25-2012 06:30 AM

Is the problem that you have only a single copy of an event in the raw log but you have more than one copy in Splunk? It's a bit unclear from your question.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...