All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

problem with duplicate event

mirelixa
Engager
‎01-20-2015 11:41 AM

Hi,

I have two records that are equal to a value different as do the rest to only show me a record, the first

Also as I do if I want to get only the value Bond1 example of a row and not all fields.

[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s

[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s

I hope your help, thanks

0 Karma
Reply

kenth213
Path Finder
‎01-20-2015 01:34 PM

Is this returned in a single event or two separate events? i.e:

event 1 = [1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
event 2 = [1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s

or

event 1 = [1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s

If these are two events, limit the results of your search to exclude the unwanted event index=your_index "your search criteria" "SERVICE ALERT: oradb4*" etc.

If it is a single event then you can end the event using a transaction index=your_index "your search criteria" "SERVICE ALERT: oradb4*" | transaction endswith="Socket timeout after 10 seconds."

0 Karma
Reply

jayannah
Builder
‎01-20-2015 11:50 AM

Your question is but unclear. If I could understand ur question correctly, all the events are duplicated and you to show/use only 1 event.Correct? If yes, try dedup _raw command.

            | dedup  _raw
0 Karma
Reply

mirelixa
Engager
‎01-20-2015 12:18 PM

apology but was entirely clear. these events and I just want one, the first in this case

[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s

and in this case, only the first too

[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s

all those who have the following message: CHECK_NRPE: Socket timeout after 10 seconds.

thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...