Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to avoid displaying duplicate logs in search results?

rajgowd1
Communicator
‎10-17-2016 10:01 AM

I am trying to search /var/log/messages log with keywords like shutdown or Error and storing it in message.log

and doing index on message.log

I have a log around at 5 mins ago like 11:30 AM EST says system is shutdown and I displayed this error log in a table format.

Around at 11:40 AM EST, when I ran search command in a table format, I see SYSTEM is Shutdown, but we already knew that system is down at 11:30 AM EST and now I don't want to see this message again.

How can we achieve this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-18-2016 01:07 AM

I agree with the others that the best way is to limit your timerange.
Every way you could extract a field with error and dedup using this field and host.

your search | dedup host error | table ...

Bye,
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-18-2016 01:07 AM

I agree with the others that the best way is to limit your timerange.
Every way you could extract a field with error and dedup using this field and host.

your search | dedup host error | table ...

Bye,
Giuseppe

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎10-17-2016 10:57 AM

It sounds like you should be extracting these fields at search time and using dedup, but it is difficult to be sure without seeing your search. Can you post your search?

0 Karma
Reply
Solved! Jump to solution

adamsaul
Communicator
‎10-17-2016 10:11 AM

rajgowd1,

I'd like more information or perhaps a screenshot to help you to remove the duplicate logs. It sounds like you just need to change your search time window.

Adam

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-17-2016 10:36 AM

You can use timemodifiers to limit your logs to a specific timeframe. So for example, if you run you search every 5 mins, you can limit your search to prev 5 mins data using earliest=-5M@m in your base search.

https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/SearchTimeModifiers

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...