Solved: How to remove Duplicate values in different field?

alexspunkshell · ‎08-11-2022

How to remove duplicate values in a different field

|stats count by src dest

yuanliu · ‎08-11-2022

The most straightforward implementation is

| stats count by src dest
| where src != dest

Alternatively,

| where src != dest
| stats count by src dest

View solution in original post

richgalloway · ‎08-11-2022

Where are the duplicates? I see the first 3 octets of some IP addresses match, but stats looks at the entire field, not just parts of it. If you need to deduplicate on the first 3 octets, then use rex or split to extract it into a new field and dedup on that new field.

---
If this reply helps you, Karma would be appreciated.

alexspunkshell · ‎08-11-2022

@richgalloway Thanks for the reply

I am getting similar IPs in both src & dest fields.

So I want to remove in results if both src & dest are the same.

yuanliu · ‎08-11-2022

The most straightforward implementation is

| stats count by src dest
| where src != dest

Alternatively,

| where src != dest
| stats count by src dest

Taruchit · ‎08-11-2022

Hi @alexspunkshell,

Please confirm if I understood your requirement correctly: -

There are two fields in the result: - src and dest.

If in a given row both src and dest are same, then you need to filter out those rows from the result.

Thank you

alexspunkshell · ‎08-11-2022

@Taruchit You are right.

How to remove Duplicate values in different field?

chart

eval

stats

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?