Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

best way to check data exists before insert

KJ10
Loves-to-Learn Lots
‎12-12-2025 02:52 AM

Currently we are checking data already exists in Splunk DB by isinstance method, here we need to iterate through entire data which is time consuming, Is there any best way to check same data already exists in Db to avoid duplication.

Labels (2)
Labels
0 Karma
Reply

KJ10
Loves-to-Learn Lots
‎12-12-2025 04:40 AM

Thanks for update @ITWhisperer , we are doing extraction during search, but user dont want duplication in splunk event as well so we implemented isinstance method to check data exist or not, is there any other way to check duplicate

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2025 04:53 AM

It depends - do you mean "duplicate" events being returned in your search? What is the level of duplication? Is it the whole event i.e. if a single character is different then it is not a duplicate? Or is it that a particular field or set of fields have unique values? Or some other criteria that you would use to determine if an event is a duplicate?

0 Karma
Reply

KJ10
Loves-to-Learn Lots
‎12-12-2025 05:16 AM

Basically we are inserting data using Rest Api, after 1 hour interval our stream events get called and it dumps all the data, to avoid this we use lookup before insertion. On UI if we remove duplicate, it works as expected but in event there is lot of duplicates values, which is taking lots of space and giving slow performance

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-12-2025 03:05 AM

If you mean some sort of pre-indexing lookup, then the indexing / ingestion process in Splunk is not really designed for that. Any pre-indexing lookup / search would slow up the indexing process far too much and more likely to cause other issues. You would be better off doing your deduplication as part of the search process, which you could then use to populate a summary index with just the deduplicated events (or better yet, the aggregated results, depending on your usecase).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...