Solved: Remove partial duplicate in same field

apache_strike · ‎09-15-2021

Hi everyone,

I am trying to remove partial duplicate in the same field, but couldn't find a solution yet.

For instance I have for the same field these values:

http://www.g

http://www.go

http://www.google.com

I would like to only keep the value (http://www.google.com), I tried to use dedup and mvfilter:

eval url_in_parameter=mvfilter(!url_in_parameter LIKE url_in_parameter*)

I am still a begginer on Splunk and couldn't find any similar topics on internet.

Thanks for your help and have a good day.

ITWhisperer · ‎09-15-2021

| makeresults
| eval _raw="http://www.g
http://www.go
http://www.google.com
http://www1.g
http://www1.go
http://www1.google.com
www.g
www.go
www.google.com
http://www.g
http://www.go
http://www.google.com"
| multikv noheader=t
| rename Column_1 as url
| table url



| sort - url
| streamstats values(url) as previous window=1 current=false
| eval url=if(match("^".previous,url),null(),url)
| where isnotnull(url)

View solution in original post

ITWhisperer · ‎09-15-2021

| makeresults
| eval _raw="http://www.g
http://www.go
http://www.google.com
http://www1.g
http://www1.go
http://www1.google.com
www.g
www.go
www.google.com
http://www.g
http://www.go
http://www.google.com"
| multikv noheader=t
| rename Column_1 as url
| table url



| sort - url
| streamstats values(url) as previous window=1 current=false
| eval url=if(match("^".previous,url),null(),url)
| where isnotnull(url)

Remove partial duplicate in same field

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation