Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove events that have the same field value in the result?

SplunkTrend
New Member
‎02-04-2016 04:04 AM

Basically, what I do is extracting the first 3 characters of the host field and show it in a separate field called Place. Now what I want to show is just records having different values in the same event and not show those records that have same value. Any help is appreciated. Thank you. 

| stats list(host) AS host, list(Place) AS place by ip

IP               host          place
10.10.20.30      dalerf01      dal
                 dalerf02      dal

30.60.40.50      houl548       hou
                 grfd548       grf
0 Karma
Reply

somesoni2
Revered Legend
‎02-04-2016 07:21 PM

Try something like this

your base search which gives host, Place, ip | dedup ip Place  | stats list(host) AS host, list(Place) AS place by ip
0 Karma
Reply

renjith_nair
Legend
‎02-04-2016 05:57 AM

Try

| stats values(host) AS host, values(Place) AS place by ip

OR

Try dedup command

your search |dedup IP host place
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...