I have a query that has a interval of few mins there are some duplicated results during that hour. When I use dedup it delete all the previous result and display the latest. Anyone met this problem? How can I only dedup results for every hour ?
Solve by | transaction locationaccident maxspan=5m | bucket span=1h _time | dedup _time | chart ... by _time
View solution in original post
Refer this http://splunk-base.splunk.com/answers/24470/buckettimechart-and-dedup
Thanks will look at it!
Use transaction to group the results per hour, then apply the dedup. Thanks