Hi
For Every Search Query i excute . I could see the list of the dupliate events associated with each search query . How can make them disable and display only the unique events associated with my search Query.
I am getting these duplicate events ..since accidently i got the source files indexed twice.I know i can i delete them...but i dnt want to delete..cause it may effect the other search queries..can you pls give me a solution to see the unique events for my search without deleting the dulicate source files...
thanx..
Is both the sourcetype and source exactly the same? Otherwise, you could single out just one of the duplicated sources. Another option would to dedup by the _time
or _raw
fields.
You can use the command | dedup
" mysearch | dedup _raw | myotherthingstodolikestats"
Is both the sourcetype and source exactly the same? Otherwise, you could single out just one of the duplicated sources. Another option would to dedup by the _time
or _raw
fields.
Thanks .:)