Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you list time-unique events as one event if certain fields match?

d648777
New Member
‎02-06-2019 07:31 PM

Hi,

I'm a complete novice to Splunk, so forgive me if the following is basic/doesn't make sense. I'm trying to reduce noise in the extracted results of a search by identifying and matching data in fields from time-unique events and grouping them/ listing them as one event if the criteria matches (i.e. if (fieldA, fieldB, fieldC) are the same between dateTime1 and dateTime2 for event_a and event_b (or any additional events), then list/table as a single event).

Hoping someone can help or point me in the right direction.

Thanks!

0 Karma
Reply

vishaltaneja070
Motivator
‎02-06-2019 10:22 PM

Hello @d648777

I think you are talking about removing duplicate when you are running the search based on fields fieldA, fieldB and FieldC.

You can use dedup command to achieve this like <your_search> | dedup fieldA, fieldB, fieldC

0 Karma
Reply

d648777
New Member
‎02-06-2019 10:43 PM

Thanks for your answer! This is in the direction, but I'm trying to set a time-frame constraint in the sense that if fieldA, fieldB and fieldC are the same for event_a and event_ b in a 5 minute time period, list/table as one event; however, if fieldA, fieldB and fieldC are the same in event_a and event_b and the time difference between event_a and event_b is greater than 5 minutes, table them as separate events.

0 Karma
Reply

vishaltaneja070
Motivator
‎02-06-2019 11:30 PM

@d648777

Something like this can work for you:

    index=*  | eventstats latest(_time) as lat , earliest(_time) as ear | eval Diff= lat - ear +1  | search Diff > 300 
     |append [search index=*  | eventstats latest(_time) as lat , earliest(_time) as ear | eval Diff= lat - ear +1 |dedup fieldA, fieldB, fieldC | search Diff < 300]
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...