Our purpose is to get the most recent event with specific fields by "dedup" command in indexer cluster
We have read a similar case according to this link, but still confused about the usage of dedup.:
https://answers.splunk.com/answers/323510/how-to-keep-all-most-recent-events-for-a-specific.html
The following is our case
Event sample (index=myIndex)
conditions:
(1) 1 search-head + 2 indexer instances (we use index cluster)
(2) each event have one duplicated record (marked "duplicated event")
2019-12-04 12:00:00, machine=serverA, result=pass # duplicated event
2019-12-04 12:00:00, machine=serverA, result=pass
2019-12-04 12:00:00, machine=serverB, result=pass # duplicated event
2019-12-04 12:00:00, machine=serverB, result=pass
2019-12-03 12:00:00, machine=serverA, result=fail # duplicated event
2019-12-03 12:00:00, machine=serverA, result=fail
2019-12-03 12:00:00, machine=serverB, result=fail # duplicated event
2019-12-03 12:00:00, machine=serverB, result=fail
We want to get the most recent server's result per day, such as
Taget result
2019-12-04 12:00:00, machine=serverA, result=pass
2019-12-04 12:00:00, machine=serverB, result=pass
2019-12-03 12:00:00, machine=serverA, result=fail
2019-12-03 12:00:00, machine=serverB, result=fail
SPL query
index=myIndex
| dedup _time machine
Question:
Does "dedup" command "always" return the most recent events based on the specific fields crossing multiple indexers?
According to our case, If we apply the spl query based on our condition, can we always get the target result?
... View more
