dedup
Remove events with duplicate values for the specified fields. Keeps the first occurrence.
Syntax
| dedup [N] <field> [, <field> ...]
Arguments
| Argument | Default | Description |
|---|---|---|
N | 1 | Keep first N events per unique combination |
field | Required | One or more fields to deduplicate on |
Examples
-- Keep one event per host
| dedup host
-- Keep first 3 events per source
| dedup 3 source
-- Dedup on multiple fields
| dedup source, level
-- Dedup after filtering
level=error | dedup host | table _time, host, message
See Also
- stats dc() -- Count distinct values
- top -- Most common values