Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to stop duplicate events 4624 from logging into Splunk

rahulkumarfgf
Explorer
‎09-14-2020 06:20 AM

Hello Everyone,

I have searched everywhere for a solution but did not get anything close to what I'm trying to do. So, I have one Domain Controller from where we are capturing data into the DS. On searching for EventCode 4624, I see around 10-15 events with the same timestamp, AccountName, etc. logging in. This single eventcode is consuming around 4-5 GB of license eveyday from a single Domain Controller which is not at all ideal. Blacklisting the event is no help as I need it for several reports. I have already removed the extra description at the end of events to reduce license usage. I was wondering if someone has faced similar issue or if someone could guide me on this, that would be great.

Please let me know if I need to provide anymore information.

Labels (1)
Labels
0 Karma
Reply

rahulkumarfgf
Explorer
‎09-14-2020 07:51 AM

Hi @gcusello Thank you for your response. I'm not looking to dedup the events as that will mean that the events are already indexed. I'm looking for a way to index only 1 event in Splunk instead of several duplicate events coming from the DC's which will help me in saving my license.

 

Thank You!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2020 07:54 AM

Hi @rahulkumarfgf,

sorry, it isn't possible!

The only way could be extract events from wineventlog and preprocess them using a script before Splunk, but it isn't easy!

Ciao.

Giuseppe

0 Karma
Reply

rahulkumarfgf
Explorer
‎09-14-2020 07:58 AM

Hi @gcusello 

I see. I will search for scripts then and see how that goes. I will update if anything changes. Thank you!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2020 07:46 AM

Hi @rahulkumarfgf,

this is a problem related to Windows logs.

You could use dedup (for host, user and timestamp fields) command to exclude from the results the duplicated values, but you have to check if in this way you reach to eliminate all the duplicated events or there are some events with a little difference in timestamp (one or few milliseconds).

The other choice is to use the transaction command, to group events but transaction is a slow command that I usually avoid.

Obviously, this is a solution at search time, but it doesn't solve thge problem of the license consuption.

For license I think that you cannot do nothing because, you'd risk to loose some events.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...