Alternate to dedup

rupesh26 · ‎01-28-2020

Hi,

I need to remove duplicates in my results, is there anyway to do this other than using dedup.
I used stats, eventstats still no luck

nick405060 · ‎01-28-2020

stats count by your_field is faster than dedup if you don't want to keep other fields

rupesh26 · ‎01-28-2020

Thanks nick, by I want to keep other fields as well to add it to a dashboard.

nick405060 · ‎01-28-2020

Terribly inelegant, but you could stats count by your_field and then join those results with the same search copied and pasted

<your_search> ... | table your_field b c | stats count by your_field | join type=left your_field [<your_search>] | table your_field b c

rupesh26 · ‎01-28-2020

Really appreciate it Nick , I will try these options.

nick405060 · ‎01-28-2020

Also for reference

https://answers.splunk.com/answers/789749/dedup-vs-stats-performance.html

(I am on the same page as you in that 99.9999% of the time I want to keep my other fields as well, which makes stats values absolutely useless in this "debate")

jscraig2006 · ‎01-28-2020

@ rupesh26 try a distinct count:
| stats dc(<your_feild>)

nick405060 · ‎01-28-2020

This counts distinct values it does not dedup.

rupesh26 · ‎01-28-2020

Yes, that's correct

nick405060 · ‎01-28-2020

So... this does not answer the question lol

jscraig2006 · ‎01-28-2020

Apologies! I should have read the question more carefully!

Alternate to dedup

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)