When I try and enter the "|dedup _raw" command at the end of my search parameter I end up with no matches but when I take it off the end I end up with thousands. I can see that they are duplicates(same IP address, name, and port) but it still doesn't work. any suggestions?
I've got two additional questions regarding this topic:
You can count duplicated event by using the "transaction" command. And then count the events by using "eventcount"
eventtype="*" | transaction session_id | Where eventcount>1 | stats count by eventcount
to find out how many duplicates occured
eventtype="*" | transaction session_id | Where eventcount>1 | stats count(eventcount)
to count how many different duplicated events occured