Solved: Deduping Results But Preserving Most Recent Value

cgalligan · ‎12-08-2017

I'm running a query to pull data on some agents, which have each have a unique "aid". For example, my computer would have a unique aid, but if I check in once every hour the most recent up to data detail set is 60min ago. How can I dedup by aid while showing the most recent data?

Here is my query - the agentlocaltime and AgentVersion is what would vary based on results:

index=<AGENT_INFO> sourcetype=<SOURCETYPE> event_platform=<OS TYPE> event_simpleName=AgentOnline|eval agentlocal_time=strftime(AgentLocalTime,"%m/%d/%y %H:%M:%S")| table aip,aid,SystemProductName,SystemManufacturer,MoboManufacturer,ComputerName,BiosVersion,BiosReleaseDate,BiosManufacturer,AgentVersion,agentlocal_time,aid,aip

DalJeanis · ‎12-08-2017

You actually have the exact right term.

your search that returns the records 
| dedup aid

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Dedup

What dedup does is it saves the first record it encounters by the fields listed (in this case aid) and discards all others.

Since Splunk by its nature returns the most recent record first, that's all you need, unless you have run a command like stats that implicitly or sort that explicitly changes the order.

The dedup command can require the data to be sent to the search head, so you want a fields command before dedup to limit the data transmitted. For this purpose, we just copied your table command above dedup and changed it to fields.

 index=<AGENT_INFO> sourcetype=<SOURCETYPE> event_platform=<OS TYPE> event_simpleName=AgentOnline
| fields aip, aid, SystemProductName, SystemManufacturer, MoboManufacturer, ComputerName, BiosVersion, BiosReleaseDate, BiosManufacturer, AgentVersion, agentlocal_time    
| dedup aid
| eval agentlocal_time=strftime(AgentLocalTime,"%m/%d/%y %H:%M:%S")
| table aip, aid, SystemProductName, SystemManufacturer, MoboManufacturer, ComputerName, BiosVersion, BiosReleaseDate, BiosManufacturer, AgentVersion, agentlocal_time

View solution in original post

DalJeanis · ‎12-08-2017

You actually have the exact right term.

your search that returns the records 
| dedup aid

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Dedup

What dedup does is it saves the first record it encounters by the fields listed (in this case aid) and discards all others.

Since Splunk by its nature returns the most recent record first, that's all you need, unless you have run a command like stats that implicitly or sort that explicitly changes the order.

The dedup command can require the data to be sent to the search head, so you want a fields command before dedup to limit the data transmitted. For this purpose, we just copied your table command above dedup and changed it to fields.

 index=<AGENT_INFO> sourcetype=<SOURCETYPE> event_platform=<OS TYPE> event_simpleName=AgentOnline
| fields aip, aid, SystemProductName, SystemManufacturer, MoboManufacturer, ComputerName, BiosVersion, BiosReleaseDate, BiosManufacturer, AgentVersion, agentlocal_time    
| dedup aid
| eval agentlocal_time=strftime(AgentLocalTime,"%m/%d/%y %H:%M:%S")
| table aip, aid, SystemProductName, SystemManufacturer, MoboManufacturer, ComputerName, BiosVersion, BiosReleaseDate, BiosManufacturer, AgentVersion, agentlocal_time

cgalligan · ‎12-08-2017

thanks, I didn't realize that it was returning newest first

Deduping Results But Preserving Most Recent Value

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation