Authentication Data model duplication of logs issu...

ngwodo · ‎10-16-2021

I have one 1 primary index namely azure with 2 sourcetypes namely: mscs:kube-good and mscs:kube-audit-good. I believe they could be duplication of data logs between the 2 sourcetypes. What is the splunk queries that can tell me if there is duplication of logs between the 2 sourcetypes. Do they each have information that the other doesn't contain. Is there a lot of overlap? Please give me the splunk queries that will do this job.

richgalloway · ‎10-16-2021

To find duplicate events, try this query

index=azure sourcetype IN ("mscs:kube-good", "mscs:kube-audit-good")
| stats count by _raw
| where count>1

I'm afraid there are no magic queries to answer your other questions. You'll have to analyze the data in each sourcetype and craft queries as you go to work out answers.

---
If this reply helps you, Karma would be appreciated.

Authentication Data model duplication of logs issue from 2 sourcetypes

using Enterprise Security

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?