Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using only 1 event out of many duplicate events

abhaywdc
Loves-to-Learn
‎06-20-2024 12:40 PM

Greetings to you !!

I have a file in which I have a following content :

My city is very good

your city is also very good

but

but

but

but

Now, I want only three lines to be indexed in Splunk :

My city is very good

your city is also very good

but

Since "but" has appeared multiple times , so we want to use only 1 "but" out of many

I want to write props or any kind of configuration so that I can achieve this results.

Kindly help !!

0 Karma
Reply

KendallW
Contributor
‎06-24-2024 10:19 PM

Hi @abhaywdc there are a few ways to do this. Here's a way to do this using props.conf/transforms.conf:

props.conf:

 

...
TRANSFORMS-removeDupe=removeDupe

 

transforms.conf:

 

[removeDupe]
REGEX = (?s)(.*?)((but[\r\n]+)+)(.*)
FORMAT = $1$3$4
DEST_KEY = _raw

 

This transform tells Splunk to replace all the instances of "but" with the last instance, thereby de-duplicating them

Explanation of the regex from regexr:

KendallW_0-1719292658039.png

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...