They are slightly different. The uniq command removes duplicates if the whole event or row of a table are the same. It takes no fields or options as everything is checked. It is an ideal command if you have duplicate data. The dedup command looks only at the fields you tell it to. So if I say "| dedup host", it only looks at the host field and keeps the first from each host. You can specify multiple fields and has options like consecutive (only remove events with duplicate combinations of values that are in consecutive rows.) or keepempty (also keep events that do not have the requested field).
Amazing playlist ..you are doing good job keep it up :)
Thank you so much!
create channel, great work, great analyst!!
Glad you enjoy it!
Amazing content!! Is dedup completely the same as uniq? Cheers.
They are slightly different.
The uniq command removes duplicates if the whole event or row of a table are the same. It takes no fields or options as everything is checked. It is an ideal command if you have duplicate data.
The dedup command looks only at the fields you tell it to. So if I say "| dedup host", it only looks at the host field and keeps the first from each host. You can specify multiple fields and has options like consecutive (only remove events with duplicate combinations of values that are in consecutive rows.) or keepempty (also keep events that do not have the requested field).
hi sir i want to be a soc analyst can u guide me
Hop on discord and I'll give you some advise.
lol this video was specifically made to disrespect dedup command. Stats ate up dedup
disrespect might be a little strong, but I do encourage the use of the right tool for the right job :)