Solved: How to Filter duplicate event logs with different...

auaave · ‎01-04-2018

Hey guys,

I have an Error Log table with fields Event ID, Start, End, Duration, Location, Error Code.
How can I filter out events with same Start, End, Location, Error Code but different Event ID?

Thanks a lot!`

| eval DURATION=round(DURATION/60)
| stats count(DURATION) AS "ERROR_QTY" BY 'ERROR CODE'

micahkemp · ‎01-04-2018

To keep only one combination of Start, End, Location, Error Code you could do:

| dedup Start End Location "Error Code"

I'm not sure this is what you are asking, though, so if not you may need to add some clarifying details (perhaps sample input and expected output).

View solution in original post

auaave · ‎01-04-2018

Hi Guys,

all good, didn't know I can use dedup for more than 1 fields

lloydknight · ‎01-04-2018

Hello @auaave

will you kindly share a sample log for us to better address your question? Thank you.

auaave · ‎01-04-2018

@ lloydknight, thank you for reply,,, all good now I used dedup for multiple field

micahkemp · ‎01-04-2018

To keep only one combination of Start, End, Location, Error Code you could do:

| dedup Start End Location "Error Code"

I'm not sure this is what you are asking, though, so if not you may need to add some clarifying details (perhaps sample input and expected output).

How to Filter duplicate event logs with different event id?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life