![]() Record the number of events returned by the search. Check the results and make sure there are no duplicates where you noticed duplicates in Step 1. Also note a day and time where you see duplicates.Ģ) Next run the search index= () This will return your index less the duplicates. This is the count of events including the duplicates. Delete is a capability.ġ) Run the search index= Record the number of events returned by the search. Check your capabilities before you attempt this. Remember you will need a user role that has delete capabilities to do the delete. My solution was to do a subsearch that returns a deduped list of events, where the returned value was a unique field. You will need one unique field in your index of events. This solution should delete every duplicate value. A lookup table may be the best way go about it. It may be susceptible to stats or return limits. Note that the search has not been tested with a large number of events. run a search to both, find and delete dupes:. ![]() # /opt/splunk/bin/splunk add oneshot /tmp/fullODupes.txt | transaction _raw maxspan=1s keepevicted=true mvlist=t Look for events where their ids match lookup table's delete_ids and pipe them thru delete.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |