Solved: Re: is it possible to run remove duplicates on spe...

gooza · ‎07-19-2011

When using the remove duplicate event python is it possible to run it on specific date range?

zpavic · ‎07-19-2011

I create new script for you. http://pastebin.com/JusgWRMy

Usage: ./splunk cmd python rem_dupl_event_spec_date.py <index> <earliest_date> <latest_date>
earliest_date & latest_date syntax: %m/%d/%Y:%H:%M:%S

For example:

./splunk cmd python rem_dupl_event_spec_date.py test 05/20/2011:0:0:0 05/24/2011:23:59:59

View solution in original post

zpavic · ‎07-19-2011

I create new script for you. http://pastebin.com/JusgWRMy

Usage: ./splunk cmd python rem_dupl_event_spec_date.py <index> <earliest_date> <latest_date>
earliest_date & latest_date syntax: %m/%d/%Y:%H:%M:%S

For example:

./splunk cmd python rem_dupl_event_spec_date.py test 05/20/2011:0:0:0 05/24/2011:23:59:59

karthy · ‎11-16-2012

Hmm... I believe this script it a bit dangerous. What happens, if you have 3 events (one unique and two, which is duplicates) within the same second? Then the script will delete one of the duplicates AND the single unique event, right?

kphillipson · ‎11-07-2012

Really like this. Is there a way for it to only look at a source or sourcetype within a given index?

gooza · ‎07-19-2011

works great , Thanks!

gooza · ‎07-19-2011

Found it..
Edited the script and added to line 56 (starting with search1) earliest= latest dates :
"search1 = 'search index=' + index + 'earliest=129461760 latest=1294704000 | ..."

I don't know Perl , anyone knows how to add these dates as parameters ?

is it possible to run remove duplicates on specific dates and not on all time?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!