Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Seem to have broken dedup (showing oldest rather than newest)

merritsa
Path Finder
‎10-14-2011 08:03 AM

We have a search that someone from Splunk helped us put together a few years ago that we altered a bit:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

However it seems to show the oldest occurance rather than the newest occurance. All we want to see is the newest occurance. Any idea what in there is breaking that?

Thanks.

Tags (1)
0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:22 PM

I think I figured it out. Seems that where you stick the dedup is important. So posting this works:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers

Where this doesn't:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎10-14-2011 09:26 AM

Try inserting a "...| sort -time" (ie. sort by descending order of time)

0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:17 PM

Also, when I pair the search down to this:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers

It works like expected. But I'm not able to look at the "result table" at all.

0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:15 PM

Thank you. That doesn't seem to do it for me though for some reason. I don't want to sort the results per se; I want to change the results to show me instead only the most recent results.

I'm starting to think the search is flawed.

I don't know enough about splunk to know the difference, but I see 1 result under "results table" - the oldest one, and I see 40 results under "events list".

I don't understand why I see 40 events - the dedup should be stopping that. I also don't understand why, on "results table", I'm seeing the oldest one.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...