It's better to use dc(your_field) whenever you can. I once asked what was the difference to a Splunk Instructor and he said that dc was faster than dedup.
Using dedup on larger dataset can be expensive. There are cases where you can replace dedup by using a
stats latest(... OR subsearch as filters or something else. Whether dedup can be replaces OR not and if yes, then with what will depend upon your query requirements. Could you give some sample search on how the dedup is being used?
Can you compare your dedup results (and performance) with following query?
index=test | eval temp=od."#".line| timechart span=1d dc(temp) as total | stats avg(total)
I think it's gonna work out. Thank you. I appreciate your support.
Is there any way to contact you through e-mail or phone?
uhkc777 - Did the search query provided by somesoni2 help provide a working solution to your question? Please let me know when you can so that it can be converted to an answer. Thanks!