Splunk Search

dedup only 1 hr possible ?

Path Finder

I have a query that has a interval of few mins there are some duplicated results during that hour. When I use dedup it delete all the previous result and display the latest. Anyone met this problem? How can I only dedup results for every hour ?

Tags (1)
0 Karma
1 Solution

Path Finder

Solve by | transaction locationaccident maxspan=5m | bucket span=1h _time | dedup _time | chart ... by _time

View solution in original post

0 Karma

Path Finder

Solve by | transaction locationaccident maxspan=5m | bucket span=1h _time | dedup _time | chart ... by _time

View solution in original post

0 Karma

Champion

Path Finder

Thanks will look at it!

0 Karma

Champion

Use transaction to group the results per hour, then apply the dedup. Thanks

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!