Solved: Re: How to remove repeated duplicate values

alexspunkshell · ‎10-01-2021

I am trying to remove duplicates in my result using the |dedup command. Even though I am seeing 2 entries in my result.

Kindly help me to remove 1 duplicate.

ITWhisperer · ‎10-01-2021

| stats count by title
| fields - count

View solution in original post

Lavender · ‎04-20-2023

I too having same kind of issue . I have tried with your solution , but still I can see duplicate values . please help @ITWhisperer

ITWhisperer · ‎04-20-2023

I have no idea what SPL you used to create that output since you didn't share it. Having said that, given that you apparently have three occurrences of the same string, perhaps your base data is at fault, or perhaps you have trailing spaces?

Lavender · ‎04-20-2023

I got the solution .

mvexpand doesn't work because the field is not a multi-value field. It's a single-value field with embedded newlines. Tried using the split function to break up the field then mvexpand and it works

Azeemering · ‎10-01-2021

This field contains multiple duplicate values I guess.

You can remove it like this:

index=graphsecurityalert | mvexpand title | dedup title | table title

Check to see which events contain those multivalues:

index=graphsecurityalert | eval c=mvcount(title) | table c

ITWhisperer · ‎10-01-2021

| eval title=mvdedup(title)

ITWhisperer · ‎10-01-2021

| stats count by title
| fields - count

How to remove repeated duplicate values?

other

stats

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?