Using only 1 event out of many duplicate events

abhaywdc · ‎06-20-2024

Greetings to you !!

I have a file in which I have a following content :

My city is very good

your city is also very good

but

Now, I want only three lines to be indexed in Splunk :

My city is very good

your city is also very good

but

Since "but" has appeared multiple times , so we want to use only 1 "but" out of many

I want to write props or any kind of configuration so that I can achieve this results.

Kindly help !!

KendallW · ‎06-24-2024

Hi @abhaywdc there are a few ways to do this. Here's a way to do this using props.conf/transforms.conf:

props.conf:

...
TRANSFORMS-removeDupe=removeDupe

transforms.conf:

[removeDupe]
REGEX = (?s)(.*?)((but[\r\n]+)+)(.*)
FORMAT = $1$3$4
DEST_KEY = _raw

This transform tells Splunk to replace all the instances of "but" with the last instance, thereby de-duplicating them

Explanation of the regex from regexr:

Using only 1 event out of many duplicate events

heavy forwarder

props.conf

sourcetype

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Using only 1 event out of many duplicate events

heavy forwarder

props.conf

sourcetype

transforms.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions