Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for Duplicate RecordNumbers

rmcdougal
Path Finder
‎08-13-2012 09:39 AM

Basically, I want to create a search that will alert me in a forwarder is indexing the same data multiple times. We currently have a few that are and I want to see how many others are doing the same thing. So what I want is a search that will return the hostname of PC's that are indexing events with the same RecordNumber on the same day. I can't figure out how to accomplish it.

0 Karma
Reply

ziegfried
Influencer
‎08-13-2012 10:02 AM

Assuming that the RecordNumber is an extracted field, you could use such a search to list all host having multiple occurrences of the same RecordNumber on a single day:

RecordNumber=* | eval day=strftime(_time,"%Y%m%d") | stats count by host,day,RecordNumber | where count>0
0 Karma
Reply

tiny3001
Path Finder
‎04-02-2014 03:16 AM

I know I'm resurrecting something old here... but shouldn't it be '| where count>1'

We currently running into this problem, and yes, the search above is definitely the best way of finding duplicates

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...