topic Re: using dedup with multiple attributes in Splunk Search

using dedup with multiple attributes

isesiem — Mon, 07 Oct 2013 06:38:17 GMT

is it possible to use dedup to more than 1 attribute,,

this is my search
| dedup Object_Name

i want to add another argument like this
| dedup (Object_Name AND time)

if it is possible please provide me with the syntax

Re: using dedup with multiple attributes

kristian_kolb — Mon, 07 Oct 2013 06:52:39 GMT

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

Yes, adding more fields as arguments to dedup will filter events to only show unique combinations of field values. E.g. if you have a log that contains logins from your users (userA and userB), with possible outcomes of 'failed' and 'success';

sourcetype=mylogin | dedup user, status | table user, status

user    status
userA   success
userB   failed
userB   success
userA   failed

Adding a time element to the dedup may produce more events than you want, since time will likely differ over time, so-to-speak. Thus you might want to use the built-in fields like date_hour etc, or make use of the bucket command before the dedup.

Hope this helps,

Kristian

Re: using dedup with multiple attributes

isesiem — Mon, 28 Sep 2020 14:54:43 GMT

i am searching for file opened this is my search

EventCode=4656 Object_Type=File | dedup Object_Name

it works excellent but there is a problem that when i open the file more than onece in the last week it will only show me 1 event ,,

that's why i want to add the time with the object name ,, but like you said it gave me more result than i want,,

so what is the solution

Re: using dedup with multiple attributes

kristian_kolb — Mon, 07 Oct 2013 08:25:34 GMT

The solution? It depends on what you want to show. Perhaps you want to look into stats or timechart, e.g.

...| stats values(Object_Name) by UserID, date_mday
or
...| timechart span=1h list(Object_Name) by UserID

The possibilities are endless. Please provide a more detailed description of your desired output.

Re: using dedup with multiple attributes

isesiem — Mon, 07 Oct 2013 09:43:59 GMT

i want to monitor all the files in ( Shared Folder ) to see who deleted , updated , tried to access and opened any file

i succeeded in all of the above except the file open event

when someone opens a file i get multiple events even though all i want is 1 event saying that a person opened a file and the file name is C://..

using dedup by object name solved the problem and got only 1 event per file open,, but introduced another problem that if a user opened a file multiple time it will only count as 1 time ,,, that's why i want to add the time event to the dedup condition

Re: using dedup with multiple attributes

kristian_kolb — Mon, 07 Oct 2013 10:32:20 GMT

then perhaps something like the following;

your base search | eval access_time = strftime(_time, "%F %T")| chart list(access_time) over Object_Name by UserID

no dedup in this case.

Re: using dedup with multiple attributes

mendesjo — Wed, 18 May 2016 21:55:39 GMT

nope doesn't work..

Re: using dedup with multiple attributes

waruike — Mon, 30 Nov 2020 07:40:14 GMT

The Command

dedup field1,field2

works okay if you have fields in fields one that are similar and fields in fields 3 which are also similar