Solved: How to remove repeated duplicate values?

alexspunkshell · ‎10-01-2021

I am trying to remove duplicates in my result using the |dedup command. Even though I am seeing 2 entries in my result.

Kindly help me to remove 1 duplicate.

ITWhisperer · ‎10-01-2021

| stats count by title
| fields - count

View solution in original post

Lavender · ‎04-20-2023

I too having same kind of issue . I have tried with your solution , but still I can see duplicate values . please help @ITWhisperer

ITWhisperer · ‎04-20-2023

I have no idea what SPL you used to create that output since you didn't share it. Having said that, given that you apparently have three occurrences of the same string, perhaps your base data is at fault, or perhaps you have trailing spaces?

Lavender · ‎04-20-2023

I got the solution .

mvexpand doesn't work because the field is not a multi-value field. It's a single-value field with embedded newlines. Tried using the split function to break up the field then mvexpand and it works

Azeemering · ‎10-01-2021

This field contains multiple duplicate values I guess.

You can remove it like this:

index=graphsecurityalert | mvexpand title | dedup title | table title

Check to see which events contain those multivalues:

index=graphsecurityalert | eval c=mvcount(title) | table c

ITWhisperer · ‎10-01-2021

| eval title=mvdedup(title)

ITWhisperer · ‎10-01-2021

| stats count by title
| fields - count

How to remove repeated duplicate values?

stats

table

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies