Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

dedup in real time window is not working

asingla
Communicator
‎11-09-2011 08:03 AM

I am using dedup in my search and my time criteria is real time. The events are coming every minute but the results are not changing at top of the minute. I have turned on default_backfill option to fill the result very first time with the historical data. The data is getting refreshed when the current results fall out of time window i.e. after 5 minutes. And it shows again the oldest data in the window. Because of that data refresh every minute then on as the last result falls out of window.



index="summary" source="transaction_rate" | dedup site

I am seeing the latest result if I don't use the dedup command.

Tags (2)
0 Karma
Reply

asingla
Communicator
‎11-09-2011 08:18 AM

If I sort the result first and then dedup that works. Got the idea from here.

index="summary" source="transaction_rate" | sort -_time | dedup site

Looks like if you have stats command then also data does not get refreshed as the event come until the present result falls out of window. Anybody can explain why such behavior?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...