For example:įor each combination of host name and client IP address, duplicate results are removed. You can specify more than one field with the dedup command. This example returns only one result for each host value. You want to remove search results where the host is a duplicate value. Suppose that you have the following search results: For real-time searches, the first events that are received are searched, which are not necessarily the most recent events. For historical searches, the most recent events are searched first. With the dedup command, you can specify the number of duplicate events to keep for each value of a single field, or for each combination of values among several fields.Įvents returned by the dedup command are based on search order. Removes the events that contain an identical combination of values for the fields that you specify. When you use the span argument, the field you use in the must be either the _time field, or another field with values in UNIX time. This example counts the values in the action field and organized the results into 30 minute time spans. If there are two distinct hosts and two distinct sourcetypes, the search will produce results similar to this:Ĥ. It returns the sum of the bytes in the Sum of bytes field and the average bytes in the Average field for each group. This search organizes the incoming search results into groups based on the combination of host and sourcetype. | stats sum(bytes) AS 'Sum of bytes', avg(bytes) AS Average BY host, sourcetype You can rename the output fields using the AS clause. You can also specify more than one aggregation and with the stats command. Specifying multiple aggregations and multiple by-clause fields If there are two distinct hosts, the results are returned as a table similar to this:ģ. If you don't specify a name for the results using the `AS syntax, then the names of the columns are the name of the field and the name of the aggregation. There are two columns returned: host and sum(bytes). The results contain as many rows as there are distinct host values. This example takes the incoming result set and calculates the sum of the bytes field and groups the sums by the values in the host field. This requires a lot of data movement and a loss of. Non-streaming commands force the entire set of events to the search head. Other examples of non-streaming commands include dedup (in some modes), stats, and top. The name of the column is the name of the aggregation. For example, before the sort command can begin to sort the events, the entire set of events must be received by the sort command. This search summarizes the bytes for all of the incoming results. The Splunk dedup command, short for deduplication, is an SPL. If you just want a simple calculation, you can specify the aggregation without any other arguments. Dedup: Splunk Commands Tutorials & Reference Commands Category: Filtering Commands: dedup. You can specify the AS and BY keywords in uppercase or lowercase in your searches.
The AS and BY keywords are displayed in uppercase in the syntax and examples to make the syntax easier to read. See Overview of SPL2 stats and chart functions.
Many of these examples use the statistical functions. To learn more about the stats command, see How the stats command works. The following are examples for using the SPL2 stats command.
0 kommentar(er)
