I've got two additional questions regarding this topic:
BR
Heinz
Unfortunately I don't have an unique identifier for each event like your proposed session_id
You can count duplicated event by using the "transaction" command. And then count the events by using "eventcount"
eg.:
eventtype="*" | transaction session_id | Where eventcount>1 | stats count by eventcount
to find out how many duplicates occured
or:
eventtype="*" | transaction session_id | Where eventcount>1 | stats count(eventcount)
to count how many different duplicated events occured
or ...
dedup _raw
should work just fine, yes.
great, thanks
When I try and enter the "|dedup _raw" command at the end of my search parameter I end up with no matches but when I take it off the end I end up with thousands. I can see that they are duplicates(same IP address, name, and port) but it still doesn't work. any suggestions?