Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to edit my search to exclude duplicate events using one field and display a chart based on other fields?

jdhux
New Member
‎06-02-2016 07:48 AM

I have a search that works, but I've recently discovered that my events are recorded in two separate log files, sometimes as duplicates in each, sometimes as unique events in a single log.

The events have unique ids in them, and I'd like to use those to get a distinct count to fix things.

The original search was essentially this:

FieldChangedId | chart COUNT(eval(FieldName)) by Site, FieldName

going after an event that looks like this:

"Site":4303,
"DocumentId":99,
"FieldChangedId":161,
"FieldName":"LastLocation",

The search I have generates counts that include duplicate events because of the logging issue.

The FieldChangeId will be unique per unique event, so I'm thinking a dc of some kind on that field is how I would lose my duplicate log events. I need to express the data by Site and by FieldName, but I'm stuck on how to get the distinct in there AND also make the chart.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2016 08:23 AM

Have you tried dedup?

FieldChangedId | dedup FieldChangedId | chart COUNT(eval(FieldName)) by Site, FieldName
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

belamg
New Member
‎08-01-2019 06:43 AM

How can I refine this search string to grab those for the whole year and add other Splunk commands to break them into common ‘buckets’ with counts for each type of error without duplicate error types?

sourcetype=was_prod source="/srs/*Automation" "error"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-01-2019 07:53 AM

@belamg This question is more than 3 years old with an accepted answer so you're unlikely to get many responses. Please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2016 08:23 AM

Have you tried dedup?

FieldChangedId | dedup FieldChangedId | chart COUNT(eval(FieldName)) by Site, FieldName
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jdhux
New Member
‎06-02-2016 11:58 AM

That did it. When I tested this out, I also found that I'd typed the end of the FieldChangedId field as ID, so... derp.

Thanks much.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...