Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Remove Alike Values in a Field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunk Answers, How can I remove this duplicate line? See sample below:
From:
row1 row2 row3
1.1.1.1 XXX alpha.splunk.com
alpha
2.2.2.2 YYY beta.splunk.com
BETA
3.3.3.3 ZZZ delta.splunkanswers.com
delta
4.4.4.4 AAA abcdefgh
to:
row1 row2 row3
1.1.1.1 XXX alpha.splunk.com
2.2.2.2 YYY beta.splunk.com
3.3.3.3 ZZZ delta.splunkanswers.com
4.4.4.4 AAA abcdefgh
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If they are multivalue fields and you want the first:
| eval row3=mvindex(row3, 0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If they are multivalue fields and you want the first:
| eval row3=mvindex(row3, 0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, here's another example.
from:
field1 field2 field3 field4
row1 1.1.1.1 XXX alpha.splunk.com
alpha
row2 2.2.2.2 YYY beta.splunk.com
BETA
row3 3.3.3.3 ZZZ delta.splunkanswers.com
delta
row4 4.4.4.4 AAA abcdefgh
to:
field1 field2 field3 field4
row1 1.1.1.1 XXX alpha.splunk.com
row2 2.2.2.2 YYY beta.splunk.com
row3 3.3.3.3 ZZZ delta.splunkanswers.com
row4 4.4.4.4 AAA abcdefgh
or:
field2 field3 field4
1.1.1.1 XXX alpha.splunk.com
2.2.2.2 YYY beta.splunk.com
3.3.3.3 ZZZ delta.splunkanswers.com
4.4.4.4 AAA abcdefgh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, that doesn't really help. Can you provide (sanitised) examples of your raw events and the searches you are currently using to get your current results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not clear what these "lines" are - are they all in a single field called row3 with linebreaks? are they multivalues? have they been created by stats values/list functions, or transaction commands?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a sample output using stats values. Sorry, I give a wrong example. Here's the current one.
from:
field1 field2 field3 field4
row1 1.1.1.1 XXX alpha.splunk.com
alpha
row2 2.2.2.2 YYY beta.splunk.com
BETA
row3 3.3.3.3 ZZZ delta.splunkanswers.com
delta
row4 4.4.4.4 AAA abcdefgh
To:
field1 field2 field3 field4
row1 1.1.1.1 XXX alpha.splunk.com
row2 2.2.2.2 YYY beta.splunk.com
row3 3.3.3.3 ZZZ delta.splunkanswers.com
row4 4.4.4.4 AAA abcdefgh
So, for field4, alpha.splunk.com and alpha is just one value (multi-value), beta and beta.splunk.com is one value (multi-value), so on...
I want to remove the redundant names (hostname only and host with FQDN) as long it same value (example: alpha and alpha.splunk.com)
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
