Solved: How to remove unique rows from a table? Is there a...

MayankSplunk · ‎11-25-2014

From my search and transaction command I get the following table. To further process my results, I want to remove the row with ID V3 because it does not exist for type B. Is there a command opposite to dedup?

Type      ID    Score
A         V1     123
B         V1     786
A         V2     45
B         V2     34
A         V3     95

MayankSplunk · ‎11-25-2014

Ok found a way to do it

stats count dc(Type) as sourcetypes by ID | search sourcetypes > 1

change sourcetypes > 0 to 1 to remove unique row

View solution in original post

MayankSplunk · ‎11-25-2014

Ok found a way to do it

stats count dc(Type) as sourcetypes by ID | search sourcetypes > 1

change sourcetypes > 0 to 1 to remove unique row

MayankSplunk · ‎11-25-2014

I have updated the answer.

martin_mueller · ‎11-25-2014

Wouldn't this keep all the rows?

somesoni2 · ‎11-25-2014

This can be achieved in two steps. (may need adjustment per your search)

your search producing above | eventstats count by ID | where count > 1

This will remove all the records where ID appears only once (unique).

MayankSplunk · ‎11-25-2014

Thanks @somesoni2 - that works as well.

How to remove unique rows from a table? Is there a command opposite to dedup?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms