Dedup command not working after using the stats li...

kmrkunal · ‎09-28-2019

When I am running the following search:

index=main sourcetype="access_combined_wcookie"| stats list(useragent) as Browsers | dedup Browsers consecutive=true

The dedup command is not removing duplicate entries in the browser field.
Can someone explain to me why it is happening?

nareshinsvu · ‎09-29-2019

Did you try mvdedup?

index=main sourcetype="access_combined_wcookie"
| stats list(useragent) as Browsers
| eval Browsers=mvdedup(Browsers)

diogofgm · ‎09-28-2019

While using dedup on a table, splunk will deduplicate values (read cells) of a given field. Your result has a single value/cell (regardless of having multiple values inside it) so there is nothing to dedup.

What you're probably looking for is something like:
index=main sourcetype="access_combined_wcookie"| stats values(useragent) as Browsers

OR

index=main sourcetype="access_combined_wcookie"| stats count by useragent

------------
Hope I was able to help you. If so, some karma would be appreciated.

Dedup command not working after using the stats list command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation