Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I eliminate similar results?

donrtowery
New Member
‎03-21-2018 08:40 AM

I have a query that is returning similar, but not exact results. In the example results below, I want to get rid of 'New Page' or 'New_Page_Load", they show the same value, so I only need one of them, but I can't filter out everything with the word 'Load', and I can't filter everything missing the word 'Load'. I have several redundant results that need to be filtered out like this, where the first two words of each result match.

New_Page
New_Page_Load
Old_Page_Load
Exit_Page

Tags (1)
0 Karma
Reply

donrtowery
New Member
‎03-21-2018 09:09 AM

sorry, let me clarify a bit. I need to remove similar fields, like this. so new_page and new_page_load have the same data, i need to remove one of these fields. I have several fields with different names, but similar circumstance (first two words match, ie last_page, last_page_load, write_row, write_row_load) and I need to remove 1 of each of these similar named fields because they have identical data. 

new_page     new_page_load     old_page    exit_page
      4                            4                        2                 0
      5                            5                        1                 5
      6                            6                        3                 6
0 Karma
Reply

jrballesteros05
Communicator
‎03-21-2018 09:53 AM

Can you use "fields"? For example: 

 fields New_Page, Old_Page_Load, Exit_Page

Or which conditions do you have?

0 Karma
Reply

tiagofbmm
Influencer
‎03-21-2018 08:51 AM

Hey

Create a rex to extract the first two words and then dedup on that new field

| rex field=_raw "(?<unique>.*\_[^\_]*)"

Then dedup unique

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...