Solved: Question about table and duplicate fields

ddarmand · ‎07-11-2013

Hello everyone,

I have a splunk request that creates a table with two fields X and Y and i want to deduplicate lines when there is this situatin :

           X - Y
entry 1 :  A   B
entry 2 :  B   A

how can i do that ? dedup x,y doesn't work 😞

thanks,

Damien

lguinn2 · ‎07-11-2013

You could do something like this:

yoursearchhere
| eval compareString = min(X,Y) + max(X,Y)
| dedup compareString
| fields - compareString

I am not entirely sure this will work, but I think it will

View solution in original post

lguinn2 · ‎07-11-2013

You could do something like this:

yoursearchhere
| eval compareString = min(X,Y) + max(X,Y)
| dedup compareString
| fields - compareString

I am not entirely sure this will work, but I think it will

ddarmand · ‎07-25-2013

thanks a lot

martin_mueller · ‎07-11-2013

Those two lines don't look like duplicates to me, so dedup isn't going to throw one out. One would be thrown out if X=A and Y=B is true for both events.

Question about table and duplicate fields

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!