Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to exclude duplicate events using one field and display a chart based on other fields?

jdhux
New Member
‎06-02-2016 07:48 AM

I have a search that works, but I've recently discovered that my events are recorded in two separate log files, sometimes as duplicates in each, sometimes as unique events in a single log.

The events have unique ids in them, and I'd like to use those to get a distinct count to fix things.

The original search was essentially this:

FieldChangedId | chart COUNT(eval(FieldName)) by Site, FieldName

going after an event that looks like this:

"Site":4303,
"DocumentId":99,
"FieldChangedId":161,
"FieldName":"LastLocation",

The search I have generates counts that include duplicate events because of the logging issue.

The FieldChangeId will be unique per unique event, so I'm thinking a dc of some kind on that field is how I would lose my duplicate log events. I need to express the data by Site and by FieldName, but I'm stuck on how to get the distinct in there AND also make the chart.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2016 08:23 AM

Have you tried dedup?

FieldChangedId | dedup FieldChangedId | chart COUNT(eval(FieldName)) by Site, FieldName
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

belamg
New Member
‎08-01-2019 06:43 AM

How can I refine this search string to grab those for the whole year and add other Splunk commands to break them into common ‘buckets’ with counts for each type of error without duplicate error types?

sourcetype=was_prod source="/srs/*Automation" "error"

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-01-2019 07:53 AM

@belamg This question is more than 3 years old with an accepted answer so you're unlikely to get many responses. Please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-02-2016 08:23 AM

Have you tried dedup?

FieldChangedId | dedup FieldChangedId | chart COUNT(eval(FieldName)) by Site, FieldName
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jdhux
New Member
‎06-02-2016 11:58 AM

That did it. When I tested this out, I also found that I'd typed the end of the FieldChangedId field as ID, so... derp.

Thanks much.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...