Re: Combining 2 searches but need help with dedup ...

SS1 · ‎09-07-2022

Hi,

I have 2 searches where the dedup strategy is different, i want to combine the 2 searches but need help with dedup strategy.

Search 1: index=prod sourcetype=error AND "IOS" | dedup notification, source

Search 2: index=prod sourcetype=error AND "Android" | dedup _time

-> For "IOS" i need to dedup with only notification, source and for "Android" i need to dedup only with _time

index=prod sourcetype=error AND ("IOS" OR "Android") | dedup ?????

bowesmana · ‎09-07-2022

To do that in a single search, if Android does not have notification and source fields, then you could make these fields the same as time and then just dedup on those two fields

index=prod sourcetype=error AND ("IOS" OR "Android") 
| eval notification=coalesce(notification, _time)
| eval source=coalesce(source, _time)
| dedup notification source

as long as _time would never equal a real notification/source pair from IOS. stats command is another option if you can decide what you want to get out of the result.

Combining 2 searches but need help with dedup strategy

count

eval

fields

stats

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Combining 2 searches but need help with dedup strategy

Can’t make it to .conf25? Join us online!