×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
cyberhaven
New Member
Member since: ‎05-27-2023
‎05-28-2023
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-27-2023
Activity Feed
View All

Deduplicate events- How can we override?

by in Getting Data In
‎05-27-2023 10:43 PM
‎05-27-2023 10:43 PM
We have a script as a data source, and sometimes events could be duplicated (same ID). Using | dedup id in the search helps, but we want to override events with the same ID if possible. We have tried some solutions from the internet and documentation, but they haven't helped.   props.conf [incidents_script] TZ = UTC category = Splunk App Add-on Builder pulldown_type = 1 python.version = python3 TRUNCATE = 1000000 INDEXED_EXTRACTIONS = json TIMESTAMP_FIELDS = trigger_time SHOULD_LINEMERGE = false AUTO_KV_JSON = false KV_MODE = none TRANSFORMS-index = replace_existing deduplicate REPORT-id = extract_id TRANSFORMS-debug = debug_deduplicate EXTRACT-id = "id"\s*:\s*"([^"]+)" transforms.conf [replace_existing] REGEX = . DEST_KEY = _SYS_CHECKSUM FORMAT = index-replace [deduplicate] REGEX = . MV_ADD = true [debug_deduplicate] REGEX = . MV_ADD = true [extract_id] REGEX = "id"\s*:\s*"([^"]+)" FORMAT = id::$1 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-28-2023 02:04 AM