deduping one field by another field

ajdyer2000 · ‎09-19-2015

Hi

I'm very new to Splunk so hopefully this is an easy one.

I have 2 Fields server_name and userid. I would like to remove duplicates from the "userid" field while keeping the values of "server_name"

for example

Search results

server1, user1
server1, user2
server1, user2
server1, user3
server1, user4
server2, user1
server2, user1
server2, user1
server2 user2
server2, user3
server2, user4
server2, user4

What I would like the results to be:

server1, user1
server1, user2
server1, user3
server1, user4
server2, user1
server2 user2
server2, user3
server2, user4

Thanks

acharlieh · ‎09-19-2015

Looking at your results, actually you should know that dedup can take multiple fields in which case you wind up with all unique sets of fields:

base search | dedup server_name, userid

To try this out you could mock up your example data, with a base search like:

| noop | stats count | eval raw = split("server1,user1;server1,user2;server1,user2;server1,user3;server1,user4;server2,user1;server2,user1;server2,user1;server2,user2;server2,user3;server2,user4;server2,user4",";") | mvexpand raw | eval server=mvindex(split(raw,","),0) | eval user=mvindex(split(raw,","),1) | fields server,user

Then compare the result to:

| noop | stats count | eval raw = split("server1,user1;server1,user2;server1,user2;server1,user3;server1,user4;server2,user1;server2,user1;server2,user1;server2,user2;server2,user3;server2,user4;server2,user4",";") | mvexpand raw | eval server=mvindex(split(raw,","),0) | eval user=mvindex(split(raw,","),1) | fields server,user | dedup server_name, userid

MuS · ‎09-19-2015

Hi ajdyer2000,

you can try stats and the values() option:

your base search here | stats count values(server_name) AS server_name BY userid | fields - count

Hope this helps to get you started ...

cheers, MuS

deduping one field by another field

Data Management Digest – November 2025

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Are you a member of the Splunk Community?

deduping one field by another field

Data Management Digest – November 2025

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...