Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dedup by time

arkonner
Path Finder
‎12-12-2016 08:12 AM

I am using the search below to determine the account locked out - It works fine but as result I received more than a single account locked-out events from at list two domain controllers between 2 seconds - Should be possible to use a dedup by time to avoid the same status over 5/10 seconds. 

index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND  Account_Name!=Anonymous   | eval Account_Name = mvindex(Account_Name,1)   | eval Security_ID = mvindex(Security_ID,1)  | timechart span=1h limit=20 useother=f count by Account_Name
Tags (3)
0 Karma
Reply

koshyk
Super Champion
‎12-12-2016 01:03 PM

I would do a stats rather than a dedup as it is much efficient & fast

0 Karma
Reply

gokadroid
Motivator
‎12-12-2016 08:47 AM

If all the data in the event seems duplicate please try to see if dedup _raw at the beginning solves your problem. If still the duplicate events exist it means there is something different between raw data of these two events even though the specific data you seek might look duplicate.

Doing a dedup over _time might not solve the issue since you mention that after 2 seconds the event reappears (which means time itself is different). Try dedup over the fields which you see are coming as duplicate rather than time which itself is 2sec different to previous duplicate event.

0 Karma
Reply

arkonner
Path Finder
‎12-13-2016 02:00 AM

The same event has been recorded by more than one domain controller - " count by Account_Name" is showing two events coming from server1 and server2 - in closing time - I am looking to eliminate the duplication if this append in a 5/10 sec time windows - If the same user i still strying to perform a login the new account_locked out will appear.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...