Splunk Search

How to remove events that have the same field value in the result?

SplunkTrend
New Member

Basically, what I do is extracting the first 3 characters of the host field and show it in a separate field called Place. Now what I want to show is just records having different values in the same event and not show those records that have same value. Any help is appreciated. Thank you.

| stats list(host) AS host, list(Place) AS place by ip

IP               host          place
10.10.20.30      dalerf01      dal
                 dalerf02      dal

30.60.40.50      houl548       hou
                 grfd548       grf
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

your base search which gives host, Place, ip | dedup ip Place  | stats list(host) AS host, list(Place) AS place by ip
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Try

| stats values(host) AS host, values(Place) AS place by ip

OR

Try dedup command

your search |dedup IP host place
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...