Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to remove duplicates of one field per anot...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Krapht
Explorer
05-24-2021
10:53 PM
Going to be very tough to explain but I'll give it my best shot. I have some fields I'm trying to report on, IP and ID. There can be multiple duplicate ID's per IP, and vice versa. I would like to remove duplicate ID's per IP, but can't dedup on ID because some IP's could have the same ID. I also tried stats values(ID) by IP, but there are other fields that also need to be reported on and from my research I couldn't find a way to use multiple values.
Example:
What I currently get
IP1 ID1
IP1 ID1
IP1 ID2
IP1 ID2
IP2 ID1
IP2 ID1
IP2 ID2
IP2 ID2
What I want to get
IP1 ID1
IP1 ID2
IP2 ID1
IP2 ID2
OR (Preferably) in table format
IP 1 ID1 Name
ID2 Name
-------------------------|
IP 2 ID1 Name
ID2 Name
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aasabatini
Motivator
05-24-2021
11:03 PM
Hi @Krapht
Can you try this?
| stats values(ID) as ID values(name) as name by IPRegards
Alessandro
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Krapht
Explorer
05-24-2021
11:48 PM
I believe I found my own answer in the docs upon further research:
Keep results that have the same combination of values in multiple fields
For search results that have the same source AND host values, keep the first 2 that occur and remove all subsequent results.
... | dedup 2 source host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
05-25-2021
12:23 AM
In this case, you should accept your own reply to mark the question as answered. (Yes, dedup is an effective way to do this.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aasabatini
Motivator
05-24-2021
11:03 PM
Hi @Krapht
Can you try this?
| stats values(ID) as ID values(name) as name by IPRegards
Alessandro
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Krapht
Explorer
05-25-2021
08:59 AM
This worked great, thanks 🙂
Get Updates on the Splunk Community!
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
The Visibility Gap: Hybrid Networks and IT Services
The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
