Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Keep transactions without duplicates without TRANSACTION or DEDUP

splunked38
Communicator
‎09-25-2015 03:55 AM

Hi,

I'm currently using the expensive transaction command to keep transactions without any duplicates.

So if I had
a
b
c
c
d
d
d

this would return
a
b

sourcetype... | transaction name keepevicted=true | search eventcount=1

I'm trying to use:

search sourcetype=... | streamstats count by name

Which will give me a new field 'count' however I can't use where count>1 as one of the duplicates still remain.
I've hit a mental block, any ideas?

Can't use dedup for the same problem, one instance will still remain.

Thanks in advance.

0 Karma
Reply

somesoni2
Revered Legend
‎09-25-2015 08:04 AM

Here you go

your base search | eventstats count by name | where count=1
0 Karma
Reply

splunked38
Communicator
‎09-28-2015 12:52 AM

Thanks but sorry, this does not meet the spec.

If a duplicate is found, remove all entries.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top