Solved: Re: Dedup duplicates

HeinzWaescher · ‎03-12-2014

Hi,

what is the easiest way to filter out event duplicates without adding every field in the dedup command?
Is
| dedup _raw

the correct approach?

BR

Ayn · ‎03-12-2014

dedup _raw should work just fine, yes.

View solution in original post

HeinzWaescher · ‎03-13-2014

I've got two additional questions regarding this topic:

How can I search for the count of events that have duplicates?
How can I search for the total number of duplicates?

BR

Heinz

HeinzWaescher · ‎03-14-2014

Unfortunately I don't have an unique identifier for each event like your proposed session_id

Rocket66 · ‎03-13-2014

You can count duplicated event by using the "transaction" command. And then count the events by using "eventcount"

eg.:

eventtype="*" | transaction session_id | Where eventcount>1 | stats count by eventcount

to find out how many duplicates occured

or:

eventtype="*" | transaction session_id | Where eventcount>1 | stats count(eventcount)

to count how many different duplicated events occured

or ...

Ayn · ‎03-12-2014

dedup _raw should work just fine, yes.

HeinzWaescher · ‎03-12-2014

great, thanks

ITUser1 · ‎04-27-2015

When I try and enter the "|dedup _raw" command at the end of my search parameter I end up with no matches but when I take it off the end I end up with thousands. I can see that they are duplicates(same IP address, name, and port) but it still doesn't work. any suggestions?

Dedup duplicates

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!