Splunk search for Duplicate Events by Index, Sourcetype

Copy
index=* | stats count by _raw, index, sourcetype | where count>1 | stats values(sourcetype) as sourcetype by index
This search will output a list of sourcetypes by index that appear to have duplicate events within Splunk. Useful for identifying sourcetypes/indices where you might have some data ingest issues.
0 comments

Category:

General Splunk


Tags:

troubleshooting administration duplicate data ingest

Search Commands:

Sign in or Register to submit a comment