Tried using the already answered question on splunk answer on the same topic they say do it using lookup or sub search. like this
Error on using delete on stream stats:-
index=idx1 sourcetype=csv|streamstats count by _raw _time |where cnt>1|delete
Both the below methods are giving me wrong output i have many duplicates but below commands only showing me a few.
Subsearch method:-
index=idx1 sourcetype=csv| eval eid=_cd|search[ |streamstats count as cnt by _raw _time | where cnt>1| field eid ]|delete
Lookup method:-
index=idx1 sourcetype=csv|streamstats count by _raw _time |where cnt>1| eid=_cd | stats count by eid| fields eid| outputcsv del_id.csv
index=id1 sourcetype=csv|eval eid=_cd | search [ del_id.csv ] | delete
↧