The inital search is this:
index=myindex myapplication UID=* IDX=* IDOK=* | dedup IDX | table _time,UID,IDX,IDOK
I have been asked to create a report that shows the same for lets say the last 24 hours — but not removing all duplicates, only duplicates within each 5 minutes time slot. I guess time slot is created using span, but not sure how to ensure that I do not get duplicate IDX'es.
Give this a try:
index=myindex myapplication UID=* IDX=* IDOK=* | bin _time span=5m | dedup _time IDX | table _time,UID,IDX,IDOK
The bin will group in 5 minute chunks. Doing the dedup on both _time (a five minute chunk) and IDX will dedup on IDX within the five minute block.