Splunk Search

Seem to have broken dedup (showing oldest rather than newest)

Path Finder

We have a search that someone from Splunk helped us put together a few years ago that we altered a bit:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

However it seems to show the oldest occurance rather than the newest occurance. All we want to see is the newest occurance. Any idea what in there is breaking that?

Thanks.

Tags (1)
0 Karma

Path Finder

I think I figured it out. Seems that where you stick the dedup is important. So posting this works:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers

Where this doesn't:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

0 Karma

Splunk Employee
Splunk Employee

Try inserting a "...| sort -time" (ie. sort by descending order of time)

0 Karma

Path Finder

Also, when I pair the search down to this:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers

It works like expected. But I'm not able to look at the "result table" at all.

0 Karma

Path Finder

Thank you. That doesn't seem to do it for me though for some reason. I don't want to sort the results per se; I want to change the results to show me instead only the most recent results.

I'm starting to think the search is flawed.

I don't know enough about splunk to know the difference, but I see 1 result under "results table" - the oldest one, and I see 40 results under "events list".

I don't understand why I see 40 events - the dedup should be stopping that. I also don't understand why, on "results table", I'm seeing the oldest one.

0 Karma