Alternate to dedup

rupesh26 · ‎01-28-2020

Hi,

I need to remove duplicates in my results, is there anyway to do this other than using dedup.
I used stats, eventstats still no luck

nick405060 · ‎01-28-2020

stats count by your_field is faster than dedup if you don't want to keep other fields

rupesh26 · ‎01-28-2020

Thanks nick, by I want to keep other fields as well to add it to a dashboard.

nick405060 · ‎01-28-2020

Terribly inelegant, but you could stats count by your_field and then join those results with the same search copied and pasted

<your_search> ... | table your_field b c | stats count by your_field | join type=left your_field [<your_search>] | table your_field b c

rupesh26 · ‎01-28-2020

Really appreciate it Nick , I will try these options.

nick405060 · ‎01-28-2020

Also for reference

https://answers.splunk.com/answers/789749/dedup-vs-stats-performance.html

(I am on the same page as you in that 99.9999% of the time I want to keep my other fields as well, which makes stats values absolutely useless in this "debate")

jscraig2006 · ‎01-28-2020

@ rupesh26 try a distinct count:
| stats dc(<your_feild>)

nick405060 · ‎01-28-2020

This counts distinct values it does not dedup.

rupesh26 · ‎01-28-2020

Yes, that's correct

nick405060 · ‎01-28-2020

So... this does not answer the question lol

jscraig2006 · ‎01-28-2020

Apologies! I should have read the question more carefully!

Alternate to dedup

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Alternate to dedup

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions