Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How would I combine two searches and remove duplicates with Latest_Time?

gsteffen
Explorer
‎01-26-2015 12:45 PM

Hi,
I have two searches that I would like to combine but I would like to remove the duplicate with the Latest_Time.

My two searches:

| metadata type=hosts **index=os**  | convert ctime(recentTime) as Latest_Time | table host, Latest_Time, totalCount | sort Latest_Time

Example output:

host                              Latest_Time                       totalCount

addc1-pprd                     1/14/2015 13:21                     105
adfsproxy01-pprd                 1/14/2015 13:41                      1603
adfs02-pprd                   1/28/2015 15:10                        55

| metadata type=hosts index=msad | convert ctime(recentTime) as Latest_Time | table host, Latest_Time, totalCount | sort Latest_Time

Example output:

Index=msad      


host                Latest_Time             totalCount

addc1-pprd          1/26/2015 11:24         39685239
adfsproxy01-pprd      1/26/2015 11:23           7090659
adfs02-pprd         1/26/2015 11:24         4624827
ADDC2-PPRD          1/26/2015 11:24         49067658

I would like to see the search to generate this information:

Combined        


host                Latest_Time         totalCount

addc1-pprd          1/26/2015 11:24     39685239
adfsproxy01-pprd       1/26/2015 11:23      7090659
adfs02-pprd         1/28/2015 11:24     55
ADDC2-PPRD          1/26/2015 11:24     49067658

I'm guessing that a dedup would be used but I'm a bit stymied

Thanks in advance for your help!

Reply
1 Solution
Solved! Jump to solution
Solution

dflodstrom
Builder
‎01-26-2015 01:48 PM

If you use " | sort - Latest_time | dedup host " it should sort on time with the latest on top and the dedup the results by host keeping the value that appears first which will be the latest entry.

View solution in original post

Reply
Solved! Jump to solution
Solution

dflodstrom
Builder
‎01-26-2015 01:48 PM

If you use " | sort - Latest_time | dedup host " it should sort on time with the latest on top and the dedup the results by host keeping the value that appears first which will be the latest entry.

Reply
Solved! Jump to solution

gsteffen
Explorer
‎01-27-2015 12:13 PM

Thank you for your response. I'll give that a try.

Reply
Solved! Jump to solution

dflodstrom
Builder
‎03-04-2015 12:26 PM

any luck??

0 Karma
Reply
Solved! Jump to solution

gsteffen
Explorer
‎03-04-2015 01:08 PM

Yes. Thank you!

dedup on the end did the trick

Reply
Solved! Jump to solution

ppablo
Retired
‎03-04-2015 01:35 PM

Hi @gsteffen

Glad you found an answer through @dflodstrom 🙂 don't forget to officially accept their answer by clicking on "Accept" directly below their response and also upvote it by clicking on the up arrow on the left side of the answer.

Cheers!

Patrick

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...