Splunk Search
Highlighted

DEDUP with Multiple Values not Working

New Member

I have vulnerability detection in Splunk where there is the possibility of duplicate QID, IP and PORT, so I run a search string to dedup QID IP PORT however it doesn't give me the values I want because some detection don't have a PORT associated.

I try to add ... | fillnull PORT | dedup QID IP PORT | ... however the result is the same as when I don't do a dedup and I know for sure there are detection with all three as it's creating the descripances with the result we get from the Vulnerability scanner itself.

How else can I make this work?

Tags (2)
0 Karma
Highlighted

Re: DEDUP with Multiple Values not Working

SplunkTrust
SplunkTrust

Give this a try

your base search | eval PORT=coalesce(PORT,"NA")   | dedup QID IP PORT
0 Karma
Highlighted

Re: DEDUP with Multiple Values not Working

New Member

No luck, still not working. Any other ideas?

0 Karma
Highlighted

Re: DEDUP with Multiple Values not Working

SplunkTrust
SplunkTrust

How about this

 your base search | eventstats values(PORT) as port by QID IP | eval PORT=coalesce(PORT,port )   | dedup QID IP PORT
0 Karma