Splunk Enterprise Security

How to deal with the duplicate events in Authentication datamodel?


Hi Guys,

I have built the Authentication datamodel on the Splunk ES. However I am dealing with a dilemma of duplicate events here.

To explain it in detail:
If an authentication attempt occurs from src X to dest Y, same event is generated on X, Y and Domain Controller A. I am collecting logs from all the three machines and adding the same into the datamodel. So, when I use tstats count against the datamodel, I see 3 events depicting 3 attempts instead of one.

The only way I see out of removing this duplicate is by adding src or host as an additional separator. If so, I won't be able to monitor the criteria of login failures from multiple sources.

So, I was just wanting to know how you guys are tackling it.

Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...