Splunk Search

How to edit my search to remove duplicate source, sourcetype, and _time values by host?

New Member

Hi,

This is my search and need to remove duplicate source, sourcetype, and last_time by host. Please suggest how to do this:

index=windows (search NOT sourcetype=WinHostMon NOT source=Powershell)  |stats list(_time) as last_time,list(source) as source,list(sourcetype) as sourcetype by host | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + host, sourcetype, source, last_time

When I use the dedup command, duplicate data is not getting removed from source, sourcetype, and last_time by host.

Please find the attached screenshot and help me with removing same.

alt text

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give this a try

index=windows (search NOT sourcetype=WinHostMon NOT source=Powershell)  | stats count by host _time source sourcetype |stats list(_time) as last_time,list(source) as source,list(sourcetype) as sourcetype by host | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + host, sourcetype, source, last_time

Try this as well

| tstats count WHERE index=windows NOT (sourcetype=WinHostMon source=Powershell)  
by host _time source sourcetype |stats list(_time) as last_time,list(source) as source,list(sourcetype) as sourcetype by host | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + host, sourcetype, source, last_time

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Give this a try

index=windows (search NOT sourcetype=WinHostMon NOT source=Powershell)  | stats count by host _time source sourcetype |stats list(_time) as last_time,list(source) as source,list(sourcetype) as sourcetype by host | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + host, sourcetype, source, last_time

Try this as well

| tstats count WHERE index=windows NOT (sourcetype=WinHostMon source=Powershell)  
by host _time source sourcetype |stats list(_time) as last_time,list(source) as source,list(sourcetype) as sourcetype by host | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + host, sourcetype, source, last_time

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Have you tried this?

index=windows (search NOT sourcetype=WinHostMon NOT source=Powershell) | dedup host, sourcetype, source, _time |stats list(_time) as last_time,list(source) as source,list(sourcetype) as sourcetype by host | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + host, sourcetype, source, last_time
---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Yes, Was not working.

The below comment is working fine, but taking more time to get the result.

index=windows  AND  sourcetype!=WinHostMon AND source!=Powershell |stats max(_time) as last_time by host,source,sourcetype |stats list(last_time) as last_time,list(source) as source,list(sourcetype) as sourcetype by host | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + host, sourcetype, source, last_time
0 Karma