Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Seem to have broken dedup (showing oldest rather than newest)

merritsa
Path Finder
‎10-14-2011 08:03 AM

We have a search that someone from Splunk helped us put together a few years ago that we altered a bit:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

However it seems to show the oldest occurance rather than the newest occurance. All we want to see is the newest occurance. Any idea what in there is breaking that?

Thanks.

Tags (1)
0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:22 PM

I think I figured it out. Seems that where you stick the dedup is important. So posting this works:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers

Where this doesn't:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎10-14-2011 09:26 AM

Try inserting a "...| sort -time" (ie. sort by descending order of time)

0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:17 PM

Also, when I pair the search down to this:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers

It works like expected. But I'm not able to look at the "result table" at all.

0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:15 PM

Thank you. That doesn't seem to do it for me though for some reason. I don't want to sort the results per se; I want to change the results to show me instead only the most recent results.

I'm starting to think the search is flawed.

I don't know enough about splunk to know the difference, but I see 1 result under "results table" - the oldest one, and I see 40 results under "events list".

I don't understand why I see 40 events - the dedup should be stopping that. I also don't understand why, on "results table", I'm seeing the oldest one.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...