All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to identify all the duplicated log events/entries written to two different log files?

myli12
Path Finder
‎06-10-2011 04:50 PM

I have two types of log files, one is supposed to record security related events (sourcetype = sec) and the other to record the rest system events (sourcetype = sys).

But I found a small set of security events cross written to both types of the files. One of such log example is as follows (I displayed host and sourcetype using splunk)

2011-06-06T18:16:29 127.0.0.1 [NET-SECURITY]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/service radiusd restart
host=TT_June2011 Options| sourcetype = sec Options

2011-06-06T18:16:29 127.0.0.1 [NET-SECURITY]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/service radiusd restart
host=TT_June2011 Options| sourcetype = sys Options

How to identify all the log events/entries written to both of the files. At least is it possible to find if the security events written to the "sys" type file is a subset of all the security events written to the "sec" type file?

The suggested "punct" does not work. do I need to write python script to compare and identify the duplicate messages written to both files?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

myli12
Path Finder
‎06-15-2011 03:05 PM

I found a solution throught this post.

http://splunk-base.splunk.com/answers/432/how-do-i-find-all-duplicate-events

The search that works is

sourcetype=sec OR sourcetype=sys | eval dupfield=_raw | transaction dupfield maxspan=1s keepevicted=true | where mvcount(sourcetype) > 1

View solution in original post

Reply
Solved! Jump to solution
Solution

myli12
Path Finder
‎06-15-2011 03:05 PM

I found a solution throught this post.

http://splunk-base.splunk.com/answers/432/how-do-i-find-all-duplicate-events

The search that works is

sourcetype=sec OR sourcetype=sys | eval dupfield=_raw | transaction dupfield maxspan=1s keepevicted=true | where mvcount(sourcetype) > 1

Reply
Solved! Jump to solution

MarioM
Motivator
‎06-11-2011 02:04 AM

what about splunk special field punct ?

You could try a search similar to this :

sourcetype="sec" OR sourcetype="sys" | where mvcount(punct) > 1 | where mvcount(sourcetype) > 1
0 Karma
Reply
Solved! Jump to solution

myli12
Path Finder
‎06-13-2011 12:21 PM

thanks. why did I receive "0" matching event after running the above suggested search. I obtained "0" matching event even after the first where, i.e. after where mvcount(punct) > 1? However, I can observe the idential log entries in the both sourcetypes (they are from differnet files).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...