Solved: is it possible to run remove duplicates on specifi...

gooza · ‎07-19-2011

When using the remove duplicate event python is it possible to run it on specific date range?

zpavic · ‎07-19-2011

I create new script for you. http://pastebin.com/JusgWRMy

Usage: ./splunk cmd python rem_dupl_event_spec_date.py <index> <earliest_date> <latest_date>
earliest_date & latest_date syntax: %m/%d/%Y:%H:%M:%S

For example:

./splunk cmd python rem_dupl_event_spec_date.py test 05/20/2011:0:0:0 05/24/2011:23:59:59

View solution in original post

zpavic · ‎07-19-2011

I create new script for you. http://pastebin.com/JusgWRMy

Usage: ./splunk cmd python rem_dupl_event_spec_date.py <index> <earliest_date> <latest_date>
earliest_date & latest_date syntax: %m/%d/%Y:%H:%M:%S

For example:

./splunk cmd python rem_dupl_event_spec_date.py test 05/20/2011:0:0:0 05/24/2011:23:59:59

karthy · ‎11-16-2012

Hmm... I believe this script it a bit dangerous. What happens, if you have 3 events (one unique and two, which is duplicates) within the same second? Then the script will delete one of the duplicates AND the single unique event, right?

kphillipson · ‎11-07-2012

Really like this. Is there a way for it to only look at a source or sourcetype within a given index?

gooza · ‎07-19-2011

works great , Thanks!

gooza · ‎07-19-2011

Found it..
Edited the script and added to line 56 (starting with search1) earliest= latest dates :
"search1 = 'search index=' + index + 'earliest=129461760 latest=1294704000 | ..."

I don't know Perl , anyone knows how to add these dates as parameters ?

is it possible to run remove duplicates on specific dates and not on all time?

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor