DEDUP with Multiple Values not Working

Makinde · ‎07-04-2016

I have vulnerability detection in Splunk where there is the possibility of duplicate QID, IP and PORT, so I run a search string to dedup QID IP PORT however it doesn't give me the values I want because some detection don't have a PORT associated.

I try to add ... | fillnull PORT | dedup QID IP PORT | ... however the result is the same as when I don't do a dedup and I know for sure there are detection with all three as it's creating the descripances with the result we get from the Vulnerability scanner itself.

How else can I make this work?

somesoni2 · ‎07-05-2016

Give this a try

your base search | eval PORT=coalesce(PORT,"NA")   | dedup QID IP PORT

Makinde · ‎07-13-2016

No luck, still not working. Any other ideas?

somesoni2 · ‎07-13-2016

How about this

 your base search | eventstats values(PORT) as port by QID IP | eval PORT=coalesce(PORT,port )   | dedup QID IP PORT

DEDUP with Multiple Values not Working

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

DEDUP with Multiple Values not Working

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination