Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- problem with duplicate event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
problem with duplicate event
Hi,
I have two records that are equal to a value different as do the rest to only show me a record, the first
Also as I do if I want to get only the value Bond1 example of a row and not all fields.
[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
I hope your help, thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this returned in a single event or two separate events? i.e:
event 1 = [1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
event 2 = [1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
or
event 1 = [1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
If these are two events, limit the results of your search to exclude the unwanted event index=your_index "your search criteria" "SERVICE ALERT: oradb4*" etc.
If it is a single event then you can end the event using a transaction index=your_index "your search criteria" "SERVICE ALERT: oradb4*" | transaction endswith="Socket timeout after 10 seconds."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your question is but unclear. If I could understand ur question correctly, all the events are duplicated and you to show/use only 1 event.Correct? If yes, try dedup _raw command.
| dedup _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apology but was entirely clear. these events and I just want one, the first in this case
[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
and in this case, only the first too
[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
all those who have the following message: CHECK_NRPE: Socket timeout after 10 seconds.
thanks a lot
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
