Hi everyone I am performing a dedup on raw of the form: index=cisco_ucs host=KSCUCS2 splunk_server="spn2stl*" dn="sys/chassis-2/blade-8/bios/fw-boot-loader" |dedup _raw However Splunk returns 2-events which I believe should be only one as they are equivalent: Event1: type="blade-bios",deployment="bootloader",dn="sys/chassis-2/blade-8/bios/fw-boot-loader",version="B200M3.2.2.4a.0.041720151158",packageVersion="2.2(5c)B",site="",system_name="KSCUCS2",address="10.150.222.13" Event2: dn="sys/chassis-2/blade-8/bios/fw-boot-loader",deployment="bootloader",packageVersion="2.2(5c)B", version="B200M3.2.2.4a.0.041720151158",type="blade-bios",site="",system_name="KSCUCS2",address="10.150.222.13" Both events have the exact same fields and field-values with the exception that they are not in the same order and Splunk assumes they are different strings. I have tried several commands such as makemv, sort, etc with no luck. I tried the following which I cannot understand why it does not work: index=cisco_ucs host=KSCUCS2 splunk_server="spn2stl*" dn="sys/chassis-2/blade-8/bios/fw-boot-loader" |eval raw2=_raw |makemv raw2 delim="," |eval s=mvsort(raw2) |rename raw2 as _raw |dedup _raw Thank you for your help ... View more