Solved: Remove partial duplicate in same field

apache_strike · ‎09-15-2021

Hi everyone,

I am trying to remove partial duplicate in the same field, but couldn't find a solution yet.

For instance I have for the same field these values:

http://www.g

http://www.go

http://www.google.com

I would like to only keep the value (http://www.google.com), I tried to use dedup and mvfilter:

eval url_in_parameter=mvfilter(!url_in_parameter LIKE url_in_parameter*)

I am still a begginer on Splunk and couldn't find any similar topics on internet.

Thanks for your help and have a good day.

ITWhisperer · ‎09-15-2021

| makeresults
| eval _raw="http://www.g
http://www.go
http://www.google.com
http://www1.g
http://www1.go
http://www1.google.com
www.g
www.go
www.google.com
http://www.g
http://www.go
http://www.google.com"
| multikv noheader=t
| rename Column_1 as url
| table url



| sort - url
| streamstats values(url) as previous window=1 current=false
| eval url=if(match("^".previous,url),null(),url)
| where isnotnull(url)

View solution in original post

ITWhisperer · ‎09-15-2021

| makeresults
| eval _raw="http://www.g
http://www.go
http://www.google.com
http://www1.g
http://www1.go
http://www1.google.com
www.g
www.go
www.google.com
http://www.g
http://www.go
http://www.google.com"
| multikv noheader=t
| rename Column_1 as url
| table url



| sort - url
| streamstats values(url) as previous window=1 current=false
| eval url=if(match("^".previous,url),null(),url)
| where isnotnull(url)

Remove partial duplicate in same field

fields

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!