Hi,
I need to remove duplicates in my results, is there anyway to do this other than using dedup.
I used stats, eventstats still no luck
stats count by your_field
is faster than dedup if you don't want to keep other fields
Thanks nick, by I want to keep other fields as well to add it to a dashboard.
Terribly inelegant, but you could stats count by your_field
and then join those results with the same search copied and pasted
<your_search> ... | table your_field b c | stats count by your_field | join type=left your_field [<your_search>] | table your_field b c
Really appreciate it Nick , I will try these options.
Also for reference
https://answers.splunk.com/answers/789749/dedup-vs-stats-performance.html
(I am on the same page as you in that 99.9999% of the time I want to keep my other fields as well, which makes stats values
absolutely useless in this "debate")
@ rupesh26 try a distinct count
:
| stats dc(<your_feild>)
This counts distinct values it does not dedup.
Yes, that's correct
So... this does not answer the question lol
Apologies! I should have read the question more carefully!