Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

best way to check data exists before insert

KJ10
Loves-to-Learn Lots
‎12-12-2025 02:52 AM

Currently we are checking data already exists in Splunk DB by isinstance method, here we need to iterate through entire data which is time consuming, Is there any best way to check same data already exists in Db to avoid duplication.

Labels (2)
Labels
0 Karma
Reply

KJ10
Loves-to-Learn Lots
‎12-12-2025 04:40 AM

Thanks for update @ITWhisperer , we are doing extraction during search, but user dont want duplication in splunk event as well so we implemented isinstance method to check data exist or not, is there any other way to check duplicate

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2025 04:53 AM

It depends - do you mean "duplicate" events being returned in your search? What is the level of duplication? Is it the whole event i.e. if a single character is different then it is not a duplicate? Or is it that a particular field or set of fields have unique values? Or some other criteria that you would use to determine if an event is a duplicate?

0 Karma
Reply

KJ10
Loves-to-Learn Lots
‎12-12-2025 05:16 AM

Basically we are inserting data using Rest Api, after 1 hour interval our stream events get called and it dumps all the data, to avoid this we use lookup before insertion. On UI if we remove duplicate, it works as expected but in event there is lot of duplicates values, which is taking lots of space and giving slow performance

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2025 03:05 AM

If you mean some sort of pre-indexing lookup, then the indexing / ingestion process in Splunk is not really designed for that. Any pre-indexing lookup / search would slow up the indexing process far too much and more likely to cause other issues. You would be better off doing your deduplication as part of the search process, which you could then use to populate a summary index with just the deduplicated events (or better yet, the aggregated results, depending on your usecase).

Reply
Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...