Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my current search to remove duplicate rows from the resulting table?

shivendra_infy
Path Finder
‎12-08-2016 10:49 PM

Hi

I am using a table which shows up duplicates. Example shown below.
Is there a way to write a search which removes duplicates from the table?
I am pasting the search here for reference.

*index= source="dbmon-tail://db" Status = "2" Track_Name = "Ab-Initio"|convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS UpdateDateTime |table UpdateDateTime, Track_Name,Application_Name,Component_Name,Status_Desc,lts_error_description,Comments

This above search returns the two rows below, of which I need only the latest one based on date.

alt text

Preview file
36 KB
0 Karma
Reply

rjthibod
Champion
‎12-09-2016 06:08 AM

I think it would be helpful if you could expand on what fields determine the unique rows you want to keep. Right now that seems unclear.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-09-2016 04:57 AM

Look into the dedup command.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...