Combining 2 searches but need help with dedup stra...

SS1 · ‎09-07-2022

Hi,

I have 2 searches where the dedup strategy is different, i want to combine the 2 searches but need help with dedup strategy.

Search 1: index=prod sourcetype=error AND "IOS" | dedup notification, source

Search 2: index=prod sourcetype=error AND "Android" | dedup _time

-> For "IOS" i need to dedup with only notification, source and for "Android" i need to dedup only with _time

index=prod sourcetype=error AND ("IOS" OR "Android") | dedup ?????

bowesmana · ‎09-07-2022

To do that in a single search, if Android does not have notification and source fields, then you could make these fields the same as time and then just dedup on those two fields

index=prod sourcetype=error AND ("IOS" OR "Android") 
| eval notification=coalesce(notification, _time)
| eval source=coalesce(source, _time)
| dedup notification source

as long as _time would never equal a real notification/source pair from IOS. stats command is another option if you can decide what you want to get out of the result.

Combining 2 searches but need help with dedup strategy

count

eval

fields

stats

subsearch

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Combining 2 searches but need help with dedup strategy