Re: How can I eliminate similar results?

donrtowery · ‎03-21-2018

I have a query that is returning similar, but not exact results. In the example results below, I want to get rid of 'New Page' or 'New_Page_Load", they show the same value, so I only need one of them, but I can't filter out everything with the word 'Load', and I can't filter everything missing the word 'Load'. I have several redundant results that need to be filtered out like this, where the first two words of each result match.

New_Page
New_Page_Load
Old_Page_Load
Exit_Page

donrtowery · ‎03-21-2018

sorry, let me clarify a bit. I need to remove similar fields, like this. so new_page and new_page_load have the same data, i need to remove one of these fields. I have several fields with different names, but similar circumstance (first two words match, ie last_page, last_page_load, write_row, write_row_load) and I need to remove 1 of each of these similar named fields because they have identical data.

new_page     new_page_load     old_page    exit_page
      4                            4                        2                 0
      5                            5                        1                 5
      6                            6                        3                 6

jrballesteros05 · ‎03-21-2018

Can you use "fields"? For example:

 fields New_Page, Old_Page_Load, Exit_Page

Or which conditions do you have?

tiagofbmm · ‎03-21-2018

Hey

Create a rex to extract the first two words and then dedup on that new field

| rex field=_raw "(?<unique>.*\_[^\_]*)"

Then dedup unique

How can I eliminate similar results?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?