I am using splunk after a while and lost touch with the SPL. Please help me on below.
I have about 40 fields to extract using a SPL query. I am able to get all the fields required using interesting fields.
The issue that I am facing is that I am getting duplicate records in my result set (possibly it is due to the multiple source types that I am using in my query). Just wondering what is the correct way to write SPL so that all fields that I retrieve are unique records. Don't think writing dedup on all 40 fields is a good idea. Also not sure if I use stats function, do I have to write values(empno) as empno, vaues(empstartdate) as startdate.........on all 40 fields ? (If my data set has all employee details as an example)