Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to reverse results of dedup in the same command ?

welcominh
New Member
‎07-25-2017 07:01 AM

Im having an issue when trying to dedup some values. Here are the logs of servers states im having in Splunk, from the latest to the oldest

1 - UP
2 - UP
3 - UP
4 - UP
5 - DOWN
6 - DOWN
7 - DOWN
8 - DOWN
9 - DOWN

When trying to dedup with dedup state consecutive=true i get the following results :

1 - UP
5 - DOWN

Is there any way to get instead the following results ?

4 - UP
5 - DOWN

That is to say the oldest result for UP values, and the latest for DOWN values.

Thanks in advance !

0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2017 10:20 AM

You can do this

your base search giving latest to earliest listing of states
| reverse | dedup state consecutive=true

OR 

your base search giving latest to earliest listing of states
| dedup state consecutive=true sortby +_time
0 Karma
Reply

welcominh
New Member
‎07-26-2017 12:46 AM

This does not give me the expected result...It is exactly the same problem but reversed...

9 - DOWN
4 - UP
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...