Splunk Enterprise

How to stop duplicate events 4624 from logging into Splunk

rahulkumarfgf
Explorer

Hello Everyone,

I have searched everywhere for a solution but did not get anything close to what I'm trying to do. So, I have one Domain Controller from where we are capturing data into the DS. On searching for EventCode 4624, I see around 10-15 events with the same timestamp, AccountName, etc. logging in. This single eventcode is consuming around 4-5 GB of license eveyday from a single Domain Controller which is not at all ideal. Blacklisting the event is no help as I need it for several reports. I have already removed the extra description at the end of events to reduce license usage. I was wondering if someone has faced similar issue or if someone could guide me on this, that would be great.

Please let me know if I need to provide anymore information.

Labels (1)
0 Karma

rahulkumarfgf
Explorer

Hi @gcusello Thank you for your response. I'm not looking to dedup the events as that will mean that the events are already indexed. I'm looking for a way to index only 1 event in Splunk instead of several duplicate events coming from the DC's which will help me in saving my license.

 

Thank You!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahulkumarfgf,

sorry, it isn't possible!

The only way could be extract events from wineventlog and preprocess them using a script before Splunk, but it isn't easy!

Ciao.

Giuseppe

0 Karma

rahulkumarfgf
Explorer

Hi @gcusello 

I see. I will search for scripts then and see how that goes. I will update if anything changes. Thank you!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahulkumarfgf,

this is a problem related to Windows logs.

You could use dedup (for host, user and timestamp fields) command to exclude from the results the duplicated values, but you have to check if in this way you reach to eliminate all the duplicated events or there are some events with a little difference in timestamp (one or few milliseconds).

The other choice is to use the transaction command, to group events but transaction is a slow command that I usually avoid.

Obviously, this is a solution at search time, but it doesn't solve thge problem of the license consuption.

For license I think that you cannot do nothing because, you'd risk to loose some events.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...