Hi Guys,
I'd like to exclude the logs with same time for the search results
_time _raw
2021-5-26 00:00:00 A
2021-5-26 00:00:00 B
2021-5-26 00:05:00 C
2021-5-26 00:10:05 D
What I'd like to see:
_time downtime
2021-5-26 00:05:00 C
2021-5-26 00:10:05 D
Would you please share how I can do this? Thanks!
Hi @JiachengWei
try to use dedup command
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup
maybe it's better transform the time field in another one to avoid conflict
example:
<your search>
| eval date=strftime(_time,"%d-%m-%Y %H:%M:%S")
| dedup date
@aasabatini Thanks for sharing. But the dedup will only delete the duplicate log. I believe it will show as below:
_time _raw
2021-5-26 00:00:00 A
2021-5-26 00:05:00 C
2021-5-26 00:10:05 D
What I'd like to see:
_time downtime
2021-5-26 00:05:00 C
2021-5-26 00:10:05 D
Do you have any other ideas? Thanks
Hi @JiachengWei
I'm sorry I didn't get the point
ok I used this method, I converted the time to epoch to have a unique number, I created a eventstats to know how many events are present for epoch time value and I filtered events only by unique timestamp
<your search>
| eval epoch_convert=_time
| eventstats count as "events_number" by epoch_convert
| where events_number=1
if this search help you karma point or solution confirmation is appreciated
Ale