Hi,
This is my search and need to remove duplicate source, sourcetype, and last_time by host. Please suggest how to do this:
index=windows (search NOT sourcetype=WinHostMon NOT source=Powershell) |stats list(_time) as last_time,list(source) as source,list(sourcetype) as sourcetype by host | eval latency_minutes=((now()-last_time)/60) | convert ctime(last_time) as last_time | fields + host, sourcetype, source, last_time
When I use the dedup command, duplicate data is not getting removed from source, sourcetype, and last_time by host.
Please find the attached screenshot and help me with removing same.
... View more