Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to delete duplicate logs?

prateedshetty
Path Finder
‎02-15-2017 08:08 AM

I've uploaded the same log twice(using drag and drop option in add data) and now when I query I see duplicate results due to this. How do i delete one copy of the log?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎02-15-2017 08:32 AM 
 <your search for relevant events> | eval eid=_cd | search [<same search for relevant events> | streamstats count by _raw  | search count>1 | eval eid=_cd | fields eid] | delete

Stolen from here: https://answers.splunk.com/answers/69924/how-to-delete-duplicate-events.html

View solution in original post

Reply
Solved! Jump to solution

mclane1
Path Finder
‎05-12-2022 07:22 AM

I use something like this :

<your search>
| streamstats count by _raw
| where count>1
| eval eid=_cd
| table eid
| streamstats count
| outputlookup delete_dupplicate_byeid.csv.gz

You select and number your wanted selection.

After you can delete step by step :

<your search> 
| eval eid=_cd
| search [| inputlookup delete_dupplicate_byeid.csv.gz 
          | eval tmp=0 |  where count>=tmp*10000 AND count<=tmp*10000+9999 
          | fields eid |  format]
| delete

 

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-18-2017 05:49 PM

Like this:

Your Search That Shows Duplicates AND NOTHING ELSE | dedup _raw | delete

You will probably have to extend your user's role/permissions to run the delete command.

Reply
Solved! Jump to solution

kmccririe_splun
Splunk Employee
Splunk Employee
‎02-15-2017 08:33 AM

You can use the delete command. https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Delete

If you can write a search that limits the data to one copy, then you can pipe it to the delete command so you won't see both.

This will only stop you from seeing it, it will not get rid of the data off the indexer.

You can also clean indexes if one of the copies of data is in a different index than the other you can wipe one of the indexes of all the data in there. http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/RemovedatafromSplunk#Remove_data_from_one_...

0 Karma
Reply
Solved! Jump to solution

Yasaswy
Contributor
‎02-15-2017 08:32 AM

There is no log file to delete … your data has been indexed. To get rid of duplicate data from index… you can run a search to identify the duplicate events and pipe it to |delete command.

https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Delete

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎02-15-2017 08:32 AM 
 <your search for relevant events> | eval eid=_cd | search [<same search for relevant events> | streamstats count by _raw  | search count>1 | eval eid=_cd | fields eid] | delete

Stolen from here: https://answers.splunk.com/answers/69924/how-to-delete-duplicate-events.html

Reply
Solved! Jump to solution

bestSplunker
Contributor
‎05-16-2018 11:50 PM

this search is very slowly

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...