Re: dedup in real time window is not working

asingla · ‎11-09-2011

I am using dedup in my search and my time criteria is real time. The events are coming every minute but the results are not changing at top of the minute. I have turned on default_backfill option to fill the result very first time with the historical data. The data is getting refreshed when the current results fall out of time window i.e. after 5 minutes. And it shows again the oldest data in the window. Because of that data refresh every minute then on as the last result falls out of window.



index="summary" source="transaction_rate" | dedup site

I am seeing the latest result if I don't use the dedup command.

asingla · ‎11-09-2011

If I sort the result first and then dedup that works. Got the idea from here.

index="summary" source="transaction_rate" | sort -_time | dedup site

Looks like if you have stats command then also data does not get refreshed as the event come until the present result falls out of window. Anybody can explain why such behavior?

dedup in real time window is not working

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25

Are you a member of the Splunk Community?

dedup in real time window is not working

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Building Momentum: Splunk Developer Program at .conf25