Solved: How do we disable dupliacte events to display in ...

rakesh_498115 · ‎06-26-2012

Hi

For Every Search Query i excute . I could see the list of the dupliate events associated with each search query . How can make them disable and display only the unique events associated with my search Query.

I am getting these duplicate events ..since accidently i got the source files indexed twice.I know i can i delete them...but i dnt want to delete..cause it may effect the other search queries..can you pls give me a solution to see the unique events for my search without deleting the dulicate source files...

thanx..

Ayn · ‎06-26-2012

Is both the sourcetype and source exactly the same? Otherwise, you could single out just one of the duplicated sources. Another option would to dedup by the _time or _raw fields.

View solution in original post

yannK · ‎06-26-2012

You can use the command | dedup to keep only one of them. In your case the field can be _raw.

" mysearch | dedup _raw | myotherthingstodolikestats"

Ayn · ‎06-26-2012

Is both the sourcetype and source exactly the same? Otherwise, you could single out just one of the duplicated sources. Another option would to dedup by the _time or _raw fields.

rakesh_498115 · ‎06-26-2012

Thanks .:)

How do we disable dupliacte events to display in the search results

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!