Solved: How to exclude data that is already duplicated?

Hong_TP · ‎06-15-2023

Hi ,

I have somthing data need to deduplicate.

I got some data from two database and save in different indexes . I use the following SPL to merge the data as

index="data1"  sourcetype="data1" | append [search index="data2" sourcetype="data2"]
|rename data1DATA as 1data
|eval dataall=coalesce(1data,2data)
|table dataall sourcetype

and I got results like this

dataall      sourcetype
------       ----------
abc,1        data1
abc,1        data2
def,2        data1
abc,3        data2

Now, I need to compare the data and exclude duplicate data . The result is like the following

dataall      sourcetype
------       ----------
def,2        data1
dbc,3        data2

Any suggestions ?

Greetings and thanks!

ITWhisperer · ‎06-15-2023

| eventstats count by dataall
| where count == 1

View solution in original post

ITWhisperer · ‎06-15-2023

| eventstats count by dataall
| where count == 1

How to exclude data that is already duplicated?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation