Hi dbcase,
I think you can use the dedup command to remove deplicate events that contain identical combination of values for the fields that you specify. You can specify the number of events with duplicate values, or value combinations, to keep. You can sort the fields. When you sort, the dedup command deduplicates the results based on the specified sort-by fields.
For example, assuming you use clientip and action to identify events, you can use the following search:
... | dedup clientip action sortby +_time
For detailed information about the dedup command, please refer to documentation:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Dedup
Hope this helps. Thanks!
Hunter
... View more