Search for Duplicate RecordNumbers

rmcdougal · ‎08-13-2012

Basically, I want to create a search that will alert me in a forwarder is indexing the same data multiple times. We currently have a few that are and I want to see how many others are doing the same thing. So what I want is a search that will return the hostname of PC's that are indexing events with the same RecordNumber on the same day. I can't figure out how to accomplish it.

ziegfried · ‎08-13-2012

Assuming that the RecordNumber is an extracted field, you could use such a search to list all host having multiple occurrences of the same RecordNumber on a single day:

RecordNumber=* | eval day=strftime(_time,"%Y%m%d") | stats count by host,day,RecordNumber | where count>0

tiny3001 · ‎04-02-2014

I know I'm resurrecting something old here... but shouldn't it be '| where count>1'

We currently running into this problem, and yes, the search above is definitely the best way of finding duplicates

Search for Duplicate RecordNumbers

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Join the Conversation

Search for Duplicate RecordNumbers

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas