https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244384#M72794 <P>Yes, fixed. now.</P> Wed, 06 Jul 2016 15:44:27 GMT woodcock 2016-07-06T15:44:27Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244372#M72782 <P>I can do the following separately, and I get the results I want.</P> <PRE><CODE>index="wineventlog" EventIdentifier="4624" | dedup ComputerName index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name </CODE></PRE> <P>I'm having trouble combining the two.</P> Tue, 05 Jul 2016 22:08:16 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244372#M72782 tmontney 2016-07-05T22:08:16Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244373#M72783 <P>What results are you looking for?</P> Tue, 05 Jul 2016 23:00:09 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244373#M72783 sundareshr 2016-07-05T23:00:09Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244374#M72784 <P>did you tried with the "append" command?<BR /> Bye.<BR /> Giuseppe</P> Wed, 06 Jul 2016 06:35:58 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244374#M72784 gcusello 2016-07-06T06:35:58Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244375#M72785 <P>use comma to combine multiple dedup fields .</P> <P>dedup Computer_Name,New_Process_Name </P> Tue, 29 Sep 2020 10:08:27 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244375#M72785 peters1901 2020-09-29T10:08:27Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244376#M72786 <P>It really depends on what you are trying to do (your question is too vague). Try this:</P> <PRE><CODE>index="wineventlog" EventIdentifier="4624" | dedup ComputerName | append [ search index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name] </CODE></PRE> <P>Or this:</P> <PRE><CODE> index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name </CODE></PRE> Wed, 06 Jul 2016 13:43:31 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244376#M72786 woodcock 2016-07-06T13:43:31Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244377#M72787 <P>As I said, I want to combine the two searches. I don't know how I can make it any more specific than that.</P> <P>First throws an error ("unknown command index") and second only matches event 4688.</P> Wed, 06 Jul 2016 14:26:19 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244377#M72787 tmontney 2016-07-06T14:26:19Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244378#M72788 <P>Same results as using woodcock's answer. I only get results for event 4688.</P> Wed, 06 Jul 2016 14:32:59 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244378#M72788 tmontney 2016-07-06T14:32:59Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244379#M72789 <P>Just now got append working.</P> Wed, 06 Jul 2016 14:40:14 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244379#M72789 tmontney 2016-07-06T14:40:14Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244380#M72790 <P>You need <CODE>...| append [**search** index ...]</CODE></P> Wed, 06 Jul 2016 14:41:35 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244380#M72790 tmontney 2016-07-06T14:41:35Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244381#M72791 <P>This should do it</P> <PRE><CODE> index="wineventlog" (EventIdentifier="4624") OR ( EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*")) | eval dedupfield=if(EventIdentifier="4624", ComputerName, New_Process_Name) | dedup dedupfield </CODE></PRE> Wed, 06 Jul 2016 14:43:40 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244381#M72791 somesoni2 2016-07-06T14:43:40Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244382#M72792 <P>index="wineventlog" EventIdentifier="4624" | dedup ComputerName<BR /> | append [ search index="wineventlog" EventIdentifier="4688" (New_Process_Name="<EM>word.exe</EM>" OR New_Process_Name="<EM>excel.exe</EM>" OR New_Process_Name="<EM>outlook.exe</EM>") | dedup New_Process_Name]</P> <P>are you sure that the searches have results? I trided on my Splunk and I have the addition of the two searches</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 10:06:24 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244382#M72792 gcusello 2020-09-29T10:06:24Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244383#M72793 <P>They did. As I said in my OP, both searches on their own produce results.</P> Wed, 06 Jul 2016 14:46:17 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244383#M72793 tmontney 2016-07-06T14:46:17Z https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244384#M72794 <P>Yes, fixed. now.</P> Wed, 06 Jul 2016 15:44:27 GMT https://community.splunk.com/t5/Splunk-Search/Using-dedup-with-multiple-fields/m-p/244384#M72794 woodcock 2016-07-06T15:44:27Z