Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I dedup one part of a combined search?

rjlohan
Explorer
‎06-23-2015 06:26 PM

Hi,

How can I dedup one input to a combined search?

e.g;

index=dataA OR index=dataB | dedup <some field only present in dataB>

dataB has duplicate records, and I want to exclude only those records in dataB, by a field present in only those records.

Tags (1)
0 Karma
Reply

fdi01
Motivator
‎06-24-2015 02:33 AM

try with fields command to remove this fields before use it, like this:

index=dataA OR index=dataB | ...|fields -source_name_fields, host, ip, ....
0 Karma
Reply

acharlieh
Influencer
‎06-23-2015 08:36 PM

Assuming that the field is only present in dataB, you could do:

| dedup <field only present in dataB> keepempty=true

This will keep unique values of that field plus all events where the field isn't present. See the docs on dedup for more specific detail, and other options.

0 Karma
Reply

rjlohan
Explorer
‎06-23-2015 10:46 PM

Thanks, I did try that but it didn't seem to do the job. If I search just that source and dedup, fine. But if I include multiple sources, duplicate records reappeared. I am also piping the results to transaction command, and that may have an impact too.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...