Dedup is not working on Splunk

Question

Please see picture below. I inserted dedup for job_duration, but it was not showing in the search result. I only need one result to do visualisation.

score 0 · Answer 1 · answered Sep 27 '19 at 02:48

0

It looks like job_min is a multi-value field, which are not supported by dedup. Try ... | eval job_min=mvdedup(duration) | ....

answered Sep 27 '19 at 02:48

RichG

143
6

score 0 · Answer 2 · answered May 19 '20 at 17:47

0

If job_min is in a multivalue field, you should mvexpand first

And, instead of dedup, try using stats

Like this:

| mvexpand job_min
| stats count by job_min
| fields - count

answered May 19 '20 at 17:47

warren

10,322

Dedup is not working on Splunk

2 Answers2