All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Find Duplicates Within KV Store And Compare Source

joemarty82
Explorer
‎08-31-2020 10:58 AM

Hello,

 

I am having problems trying to find duplicate entries within my splunk kvstore. Basically, what I want to do is find duplicates based on a few fields such as FQDN, CVE, and PORT. Then, once I found duplicates I just want to output them in a table if their SOURCE field is different. The query I have so far is:

| inputlookup vul_kvstore
| stats count by fqdn, port, cve
| where count>1
| table fqdn, port, cve, source

The problem I have now is in my table I do not have access to the source field as it looks like the stats count line basically pulls out only the fqdn, port, and cve data. How do I get access to the source field data? Maybe I just have to revise my original query so I do not loose data to that field but so far nothing I try works. Hopefully someone can provide me some advise to push me through this problem.

 

Thanks,

Joe

Labels (2)
Labels
Reply

Nisha18789
Builder
‎09-01-2020 01:38 AM

Hi @joemarty82 , can you try this

 

| inputlookup vul_kvstore
| stats count by source fqdn, port, cve
| where count>1
| table source, fqdn, port, cve
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-31-2020 11:48 AM

| inputlookup vul_kvstore

| stats dc(source) as distinct_source_count values(source) as source by fqdn, port, cve

| where distinct_source_count > 1

| table fqdn, port, cve, source

————————————
If this helps, give a like below.
0 Karma
Reply

joemarty82
Explorer
‎08-31-2020 12:48 PM

Hey Tham,

 

Thanks for the input. However, this will not work because the source field only contains one entry in each kvstore record. Looks like your solution assumes there are more than 1.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...