...o get the total number of events, and data set size. Then ran the same search with the dedupcommand to reduce out all the duplicate events..... | dedup _time _raw The problem is the dedupcommand...
My problem is that I cannot understand why I get a different statistics number depending on wether I place the dedupcommand before or after sort command.
query:
host="web_application" s...
From my search and transaction command I get the following table. To further process my results, I want to remove the row with ID V3 because it does not exist for type B. Is there a command o...
...ew column using the dedupcommand (that I already have and works), but filters a new result with less logs count. I would like to have something like:
errortype count newcount
How can I do it?
I have an instance using ServiceNow data where I want to dedup the data based on sys_updated_on to get the last update and status of the incident.
sourcetype="snow:pm_project" | dedup n...
Hi,
Dedupcommand gives recent unique values based on fields mention. I want to know these recent values are identified based on _time or _indextime? I could not find it is mentioned anywhere.
Thanks,
hello guys,
Is there any way that I could remove duplicate events that have same timestamp using this below search string:
index=* (EventCode=4624 OR EventCode=4625)
| stats count(Ke...
When I am running the following search:
index=main sourcetype="access_combined_wcookie"| stats list(useragent) as Browsers | dedup Browsers consecutive=true
The dedupcommand is not r...
...yIndexField2 as Total2 | eval CalcField=(Total1/Total2)
There are some commands I will pipe in once I get this solved but for now just trying to figure this out. I keep getting issues when I dedup...