Re: How to reverse results of dedup in the same co...

welcominh · ‎07-25-2017

Im having an issue when trying to dedup some values. Here are the logs of servers states im having in Splunk, from the latest to the oldest

1 - UP
2 - UP
3 - UP
4 - UP
5 - DOWN
6 - DOWN
7 - DOWN
8 - DOWN
9 - DOWN

When trying to dedup with dedup state consecutive=true i get the following results :

1 - UP
5 - DOWN

Is there any way to get instead the following results ?

4 - UP
5 - DOWN

That is to say the oldest result for UP values, and the latest for DOWN values.

Thanks in advance !

somesoni2 · ‎07-25-2017

You can do this

your base search giving latest to earliest listing of states
| reverse | dedup state consecutive=true

OR

your base search giving latest to earliest listing of states
| dedup state consecutive=true sortby +_time

welcominh · ‎07-26-2017

This does not give me the expected result...It is exactly the same problem but reversed...

9 - DOWN
4 - UP

How to reverse results of dedup in the same command ?