Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dedup is removing the duplicate fields which is having the Unique value in other column

LRathinakumar
Explorer
‎02-19-2023 02:01 AM

Hello Splunkers,

I have used a query in the search for mitre fields extraction and after the extraction i have got the results with the query name and the technique_id. But here the problem comes. Each query is having the technique_id and the sub technique_id, so i have matched the sub technique_id with the technique_id and the results is shown with the same rule name two times with the technique_id. So i want to remove  the duplicate rule name, if so i used the dedup then the rule having the other technique_id is also getting removed. I have attached the screenshot for reference...

The query i used for getting the results is 



| rest /services/configs/conf-analyticstories 
| where annotations!="" 
| spath input=annotations path=mitre_attack{} output=mitre_attack 
| eval rule_name=ltrim(title,"savedsearch://") 
| fields rule_name,mitre_attack 
| join rule_name 
[| rest /services/configs/conf-analyticstories 
| where searches!="" 
| eval rule_name=searches 
| table title,rule_name 
| eval rule_name=trim(rule_name,"[") 
| eval rule_name=trim(rule_name,"]") 
| eval rule_name=split(rule_name,",") 
| mvexpand rule_name 
| eval rule_name=trim(rule_name," ") 
| eval rule_name=trim(rule_name,"\"")
] 
| append 
[| rest services/configs/conf-savedsearches 
| eval rule_name=title 
| search action.correlationsearch.annotations="*" 
| spath input=action.correlationsearch.annotations path=mitre_attack{} output=mitre_attack 
| fields rule_name, mitre_attack] 
| eval technique_name = if(match(mitre_attack,"^T\d\d\d"),null(), mitre_attack)
| lookup mitre_tt_lookup technique_name OUTPUT technique_id as tmp_id0
| eval tmp_id1 = if(match(mitre_attack,"^T\d\d\d"), mitre_attack, null())
| eval technique_id=coalesce(tmp_id0, tmp_id1)
| where NOT isnull(technique_id) 
| table rule_name, technique_id 
| inputlookup mitre_user_rule_technique_lookup append=true 
| inputlookup mitre_app_rule_technique_lookup append=true 
| makemv tokenizer="([^\n\s]+)" technique_id 
| mvexpand technique_id 
| dedup rule_name,technique_id 
| join rule_name 
[| rest services/configs/conf-savedsearches 
| eval rule_name=title 
| eval stage= if(disabled == 1, "Disabled", "Enabled")
| table rule_name, stage
] 
| eval subtechnique_id=if(match(technique_id,"\."),technique_id,null())
| eval technique_id=if(match(technique_id,"\."),replace(technique_id,"\.\d+",""),technique_id)
|search stage=Enabled
|table rule_name,technique_id

 

LRathinakumar_0-1676800735000.png

 

Thanks in advance....

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-19-2023 02:37 AM

Repeat the dedup line at the end

| dedup rule_name,technique_id

Or don't edit the technique_id after the dedup to see the different versions

| eval technique_id=if(match(technique_id,"\."),replace(technique_id,"\.\d+",""),technique_id)

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-19-2023 02:37 AM

Repeat the dedup line at the end

| dedup rule_name,technique_id

Or don't edit the technique_id after the dedup to see the different versions

| eval technique_id=if(match(technique_id,"\."),replace(technique_id,"\.\d+",""),technique_id)
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...