Splunk Enterprise Security

Duplicate logs cause incorrect data in dashboard

shayhibah
Path Finder

Hi,

I use various dashboards which include in Splunk Enterprise Security app.
In case of duplicate logs in my environment, the data inside the dashboards is obviously incorrect.
For example: In HTTP Category Analysis dashboard, I see some category with count of 2 although both of these 2 are actually the same log.
I can recognize duplicate logs in my environment by a field called log-id.

Is there any option to define that all queries will do something like 'dedup' before retrieving results?
If so, is there any automatic way to do that instead of changing each dashboard's query?

*FYI - I do not want to delete the duplicates *

Thanks

0 Karma

shayhibah
Path Finder

Someone?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@shayhibah,
Yes, dedup is a good approach to remove duplicate events from dashboards. Is it possible for you to change searches in all respective dashboards?

0 Karma

shayhibah
Path Finder

hi, dedup is perfect for me but - I would like to change searches in all dashboards automatically (change in one place) and not change manually each query of each dashboard.

Is it possible?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!