Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexed data twice! Suggestions to remove data from being searched?

ben_leung
Builder
‎02-23-2016 09:09 AM

Lets say we have forwarded events that are exactly the same and show in Splunk as duplicates. Running a | dedup _raw would resolve the duplicate events at search time. Would it make sense to run index=main | deduce _raw | delete so that we won't have to run a dedup every single time on that time range of events?

0 Karma
Reply

the_wolverine
Champion
‎02-23-2016 09:17 AM

I wouldn't advise scheduling a delete. For one, delete is expensive to run. Second, possibly dangerous in that you may wind up deleting something by accident. Third, fix the reason for duplicate events instead.

Reply

ben_leung
Builder
‎02-23-2016 09:12 AM

The reason I ask this is because | delete would remove the events returned from the prior search. I would assume it would "delete" the duplicate AND the original events. Does anyone know the behavior of this kind of scenario?

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...