Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to remove duplicates of one field per another ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Krapht
Explorer
05-24-2021
10:53 PM
Going to be very tough to explain but I'll give it my best shot. I have some fields I'm trying to report on, IP and ID. There can be multiple duplicate ID's per IP, and vice versa. I would like to remove duplicate ID's per IP, but can't dedup on ID because some IP's could have the same ID. I also tried stats values(ID) by IP, but there are other fields that also need to be reported on and from my research I couldn't find a way to use multiple values.
Example:
What I currently get
IP1 ID1
IP1 ID1
IP1 ID2
IP1 ID2
IP2 ID1
IP2 ID1
IP2 ID2
IP2 ID2
What I want to get
IP1 ID1
IP1 ID2
IP2 ID1
IP2 ID2
OR (Preferably) in table format
IP 1 ID1 Name
ID2 Name
-------------------------|
IP 2 ID1 Name
ID2 Name
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aasabatini
Motivator
05-24-2021
11:03 PM
Hi @Krapht
Can you try this?
| stats values(ID) as ID values(name) as name by IPRegards
Alessandro
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Krapht
Explorer
05-24-2021
11:48 PM
I believe I found my own answer in the docs upon further research:
Keep results that have the same combination of values in multiple fields
For search results that have the same source AND host values, keep the first 2 that occur and remove all subsequent results.
... | dedup 2 source host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
05-25-2021
12:23 AM
In this case, you should accept your own reply to mark the question as answered. (Yes, dedup is an effective way to do this.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aasabatini
Motivator
05-24-2021
11:03 PM
Hi @Krapht
Can you try this?
| stats values(ID) as ID values(name) as name by IPRegards
Alessandro
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Krapht
Explorer
05-25-2021
08:59 AM
This worked great, thanks 🙂
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
