Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Seem to have broken dedup (showing oldest rather than newest)

merritsa
Path Finder
‎10-14-2011 08:03 AM

We have a search that someone from Splunk helped us put together a few years ago that we altered a bit:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

However it seems to show the oldest occurance rather than the newest occurance. All we want to see is the newest occurance. Any idea what in there is breaking that?

Thanks.

Tags (1)
0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:22 PM

I think I figured it out. Seems that where you stick the dedup is important. So posting this works:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers

Where this doesn't:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | stats count(s2s_VendorPeers) by s2s_VendorPeers, _time | convert ctime(_time) as time | fields time, s2s_VendorPeers | dedup s2s_VendorPeers

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎10-14-2011 09:26 AM

Try inserting a "...| sort -time" (ie. sort by descending order of time)

0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:17 PM

Also, when I pair the search down to this:

index="Firewall" AND host= AND "PHASE 2 COMPLETED" | dedup s2s_VendorPeers

It works like expected. But I'm not able to look at the "result table" at all.

0 Karma
Reply

merritsa
Path Finder
‎10-14-2011 12:15 PM

Thank you. That doesn't seem to do it for me though for some reason. I don't want to sort the results per se; I want to change the results to show me instead only the most recent results.

I'm starting to think the search is flawed.

I don't know enough about splunk to know the difference, but I see 1 result under "results table" - the oldest one, and I see 40 results under "events list".

I don't understand why I see 40 events - the dedup should be stopping that. I also don't understand why, on "results table", I'm seeing the oldest one.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...