Solved: Question about table and duplicate fields

ddarmand · ‎07-11-2013

Hello everyone,

I have a splunk request that creates a table with two fields X and Y and i want to deduplicate lines when there is this situatin :

           X - Y
entry 1 :  A   B
entry 2 :  B   A

how can i do that ? dedup x,y doesn't work 😞

thanks,

Damien

lguinn2 · ‎07-11-2013

You could do something like this:

yoursearchhere
| eval compareString = min(X,Y) + max(X,Y)
| dedup compareString
| fields - compareString

I am not entirely sure this will work, but I think it will

View solution in original post

lguinn2 · ‎07-11-2013

You could do something like this:

yoursearchhere
| eval compareString = min(X,Y) + max(X,Y)
| dedup compareString
| fields - compareString

I am not entirely sure this will work, but I think it will

ddarmand · ‎07-25-2013

thanks a lot

martin_mueller · ‎07-11-2013

Those two lines don't look like duplicates to me, so dedup isn't going to throw one out. One would be thrown out if X=A and Y=B is true for both events.

Question about table and duplicate fields

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Question about table and duplicate fields

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console