Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to deal with the duplicate events in Authentication datamodel?

harishbenne2
Explorer
‎04-04-2020 10:26 PM

Hi Guys,

I have built the Authentication datamodel on the Splunk ES. However I am dealing with a dilemma of duplicate events here.

To explain it in detail:
If an authentication attempt occurs from src X to dest Y, same event is generated on X, Y and Domain Controller A. I am collecting logs from all the three machines and adding the same into the datamodel. So, when I use tstats count against the datamodel, I see 3 events depicting 3 attempts instead of one.

The only way I see out of removing this duplicate is by adding src or host as an additional separator. If so, I won't be able to monitor the criteria of login failures from multiple sources.

So, I was just wanting to know how you guys are tackling it.

Thanks in advance.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...