@drippler Your search is worked for me as well.. Its pretty much straight and simple one. Thanks Note: Its deletes only 10k events only you have to run the search for multiple times index="Indexname" sourcetype="sourcetype" | eval eid=_cd | search [search index="Indexname" sourcetype="sourcetype" | streamstats count by _raw | search count>1 | eval eid=_cd | fields eid] |delete
... View more