Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I dedup one part of a combined search?

rjlohan
Explorer
‎06-23-2015 06:26 PM

Hi,

How can I dedup one input to a combined search?

e.g;

index=dataA OR index=dataB | dedup <some field only present in dataB>

dataB has duplicate records, and I want to exclude only those records in dataB, by a field present in only those records.

Tags (1)
0 Karma
Reply

fdi01
Motivator
‎06-24-2015 02:33 AM

try with fields command to remove this fields before use it, like this:

index=dataA OR index=dataB | ...|fields -source_name_fields, host, ip, ....
0 Karma
Reply

acharlieh
Influencer
‎06-23-2015 08:36 PM

Assuming that the field is only present in dataB, you could do:

| dedup <field only present in dataB> keepempty=true

This will keep unique values of that field plus all events where the field isn't present. See the docs on dedup for more specific detail, and other options.

0 Karma
Reply

rjlohan
Explorer
‎06-23-2015 10:46 PM

Thanks, I did try that but it didn't seem to do the job. If I search just that source and dedup, fine. But if I include multiple sources, duplicate records reappeared. I am also piping the results to transaction command, and that may have an impact too.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...