Splunk Search

How would I combine two searches and remove duplicates with Latest_Time?

gsteffen
Explorer

Hi,
I have two searches that I would like to combine but I would like to remove the duplicate with the Latest_Time.

My two searches:

| metadata type=hosts **index=os**  | convert ctime(recentTime) as Latest_Time | table host, Latest_Time, totalCount | sort Latest_Time

Example output:

host                              Latest_Time                       totalCount

addc1-pprd                     1/14/2015 13:21                     105
adfsproxy01-pprd                 1/14/2015 13:41                      1603
adfs02-pprd                   1/28/2015 15:10                        55

| metadata type=hosts index=msad | convert ctime(recentTime) as Latest_Time | table host, Latest_Time, totalCount | sort Latest_Time

Example output:

Index=msad      


host                Latest_Time             totalCount

addc1-pprd          1/26/2015 11:24         39685239
adfsproxy01-pprd      1/26/2015 11:23           7090659
adfs02-pprd         1/26/2015 11:24         4624827
ADDC2-PPRD          1/26/2015 11:24         49067658

I would like to see the search to generate this information:

Combined        


host                Latest_Time         totalCount

addc1-pprd          1/26/2015 11:24     39685239
adfsproxy01-pprd       1/26/2015 11:23      7090659
adfs02-pprd         1/28/2015 11:24     55
ADDC2-PPRD          1/26/2015 11:24     49067658

I'm guessing that a dedup would be used but I'm a bit stymied

Thanks in advance for your help!

1 Solution

dflodstrom
Builder

If you use " | sort - Latest_time | dedup host " it should sort on time with the latest on top and the dedup the results by host keeping the value that appears first which will be the latest entry.

View solution in original post

dflodstrom
Builder

If you use " | sort - Latest_time | dedup host " it should sort on time with the latest on top and the dedup the results by host keeping the value that appears first which will be the latest entry.

gsteffen
Explorer

Thank you for your response. I'll give that a try.

dflodstrom
Builder

any luck??

0 Karma

gsteffen
Explorer

Yes. Thank you!

dedup on the end did the trick

ppablo
Retired

Hi @gsteffen

Glad you found an answer through @dflodstrom 🙂 don't forget to officially accept their answer by clicking on "Accept" directly below their response and also upvote it by clicking on the up arrow on the left side of the answer.

Cheers!

Patrick

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...