Splunk Search

Seem to have broken dedup (showing oldest rather than newest)

merritsa
Path Finder

We have a search that someone from Splunk helped us put together a few years ago that we altered a bit:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

However it seems to show the oldest occurance rather than the newest occurance. All we want to see is the newest occurance. Any idea what in there is breaking that?

Thanks.

Tags (1)
0 Karma

merritsa
Path Finder

I think I figured it out. Seems that where you stick the dedup is important. So posting this works:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers

Where this doesn't:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

0 Karma

_d_
Splunk Employee
Splunk Employee

Try inserting a "...| sort -time" (ie. sort by descending order of time)

0 Karma

merritsa
Path Finder

Also, when I pair the search down to this:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers

It works like expected. But I'm not able to look at the "result table" at all.

0 Karma

merritsa
Path Finder

Thank you. That doesn't seem to do it for me though for some reason. I don't want to sort the results per se; I want to change the results to show me instead only the most recent results.

I'm starting to think the search is flawed.

I don't know enough about splunk to know the difference, but I see 1 result under "results table" - the oldest one, and I see 40 results under "events list".

I don't understand why I see 40 events - the dedup should be stopping that. I also don't understand why, on "results table", I'm seeing the oldest one.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...