Getting Data In

How do we disable dupliacte events to display in the search results

rakesh_498115
Motivator

Hi

For Every Search Query i excute . I could see the list of the dupliate events associated with each search query . How can make them disable and display only the unique events associated with my search Query.

I am getting these duplicate events ..since accidently i got the source files indexed twice.I know i can i delete them...but i dnt want to delete..cause it may effect the other search queries..can you pls give me a solution to see the unique events for my search without deleting the dulicate source files...

thanx..

0 Karma
1 Solution

Ayn
Legend

Is both the sourcetype and source exactly the same? Otherwise, you could single out just one of the duplicated sources. Another option would to dedup by the _time or _raw fields.

View solution in original post

yannK
Splunk Employee
Splunk Employee

You can use the command | dedup to keep only one of them. In your case the field can be _raw.

" mysearch | dedup _raw | myotherthingstodolikestats"

0 Karma

Ayn
Legend

Is both the sourcetype and source exactly the same? Otherwise, you could single out just one of the duplicated sources. Another option would to dedup by the _time or _raw fields.

rakesh_498115
Motivator

Thanks .:)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...