Solved: Question about table and duplicate fields

ddarmand · ‎07-11-2013

Hello everyone,

I have a splunk request that creates a table with two fields X and Y and i want to deduplicate lines when there is this situatin :

           X - Y
entry 1 :  A   B
entry 2 :  B   A

how can i do that ? dedup x,y doesn't work 😞

thanks,

Damien

lguinn2 · ‎07-11-2013

You could do something like this:

yoursearchhere
| eval compareString = min(X,Y) + max(X,Y)
| dedup compareString
| fields - compareString

I am not entirely sure this will work, but I think it will

View solution in original post

lguinn2 · ‎07-11-2013

You could do something like this:

yoursearchhere
| eval compareString = min(X,Y) + max(X,Y)
| dedup compareString
| fields - compareString

I am not entirely sure this will work, but I think it will

ddarmand · ‎07-25-2013

thanks a lot

martin_mueller · ‎07-11-2013

Those two lines don't look like duplicates to me, so dedup isn't going to throw one out. One would be thrown out if X=A and Y=B is true for both events.

Question about table and duplicate fields

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Question about table and duplicate fields

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem