Splunk Search
Highlighted

How would I combine two searches and remove duplicates with Latest_Time?

Explorer

Hi,
I have two searches that I would like to combine but I would like to remove the duplicate with the Latest_Time.

My two searches:

| metadata type=hosts **index=os**  | convert ctime(recentTime) as Latest_Time | table host, Latest_Time, totalCount | sort Latest_Time

Example output:

host                              Latest_Time                       totalCount

addc1-pprd                     1/14/2015 13:21                     105
adfsproxy01-pprd                 1/14/2015 13:41                      1603
adfs02-pprd                   1/28/2015 15:10                        55

| metadata type=hosts index=msad | convert ctime(recentTime) as LatestTime | table host, LatestTime, totalCount | sort Latest_Time

Example output:

Index=msad      


host                Latest_Time             totalCount

addc1-pprd          1/26/2015 11:24         39685239
adfsproxy01-pprd      1/26/2015 11:23           7090659
adfs02-pprd         1/26/2015 11:24         4624827
ADDC2-PPRD          1/26/2015 11:24         49067658

I would like to see the search to generate this information:

Combined        


host                Latest_Time         totalCount

addc1-pprd          1/26/2015 11:24     39685239
adfsproxy01-pprd       1/26/2015 11:23      7090659
adfs02-pprd         1/28/2015 11:24     55
ADDC2-PPRD          1/26/2015 11:24     49067658

I'm guessing that a dedup would be used but I'm a bit stymied

Thanks in advance for your help!

Highlighted

Re: How would I combine two searches and remove duplicates with Latest_Time?

Builder

If you use " | sort - Latest_time | dedup host " it should sort on time with the latest on top and the dedup the results by host keeping the value that appears first which will be the latest entry.

View solution in original post

Highlighted

Re: How would I combine two searches and remove duplicates with Latest_Time?

Explorer

Thank you for your response. I'll give that a try.

Highlighted

Re: How would I combine two searches and remove duplicates with Latest_Time?

Builder

any luck??

0 Karma
Highlighted

Re: How would I combine two searches and remove duplicates with Latest_Time?

Explorer

Yes. Thank you!

dedup on the end did the trick

Highlighted

Re: How would I combine two searches and remove duplicates with Latest_Time?

Community Manager
Community Manager

Hi @gsteffen

Glad you found an answer through @dflodstrom 🙂 don't forget to officially accept their answer by clicking on "Accept" directly below their response and also upvote it by clicking on the up arrow on the left side of the answer.

Cheers!

Patrick