Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Alternate to dedup
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alternate to dedup
rupesh26
Path Finder
01-28-2020
02:22 PM
Hi,
I need to remove duplicates in my results, is there anyway to do this other than using dedup.
I used stats, eventstats still no luck
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-28-2020
03:05 PM
stats count by your_field is faster than dedup if you don't want to keep other fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rupesh26
Path Finder
01-28-2020
03:09 PM
Thanks nick, by I want to keep other fields as well to add it to a dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-28-2020
03:33 PM
Terribly inelegant, but you could stats count by your_field and then join those results with the same search copied and pasted
<your_search> ... | table your_field b c | stats count by your_field | join type=left your_field [<your_search>] | table your_field b c
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rupesh26
Path Finder
01-28-2020
03:37 PM
Really appreciate it Nick , I will try these options.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-28-2020
03:46 PM
Also for reference
https://answers.splunk.com/answers/789749/dedup-vs-stats-performance.html
(I am on the same page as you in that 99.9999% of the time I want to keep my other fields as well, which makes stats values absolutely useless in this "debate")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jscraig2006
Communicator
01-28-2020
02:54 PM
@ rupesh26 try a distinct count:
| stats dc(<your_feild>)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-28-2020
02:56 PM
This counts distinct values it does not dedup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rupesh26
Path Finder
01-28-2020
02:58 PM
Yes, that's correct
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
01-28-2020
03:00 PM
So... this does not answer the question lol
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jscraig2006
Communicator
01-28-2020
03:20 PM
Apologies! I should have read the question more carefully!
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
