How to filter out all events that have duplicate v...

tnoelOTS · ‎10-19-2016

I am running a search of my Rapid7 data I need to compare 2 fields Dest_ip and signature_id If both fields have the same data I want to remove all records that have that data from my search.

Example

event 1: dest_ip=10.10.10.10 signature_id=1
event 2: dest_ip=10.10.10.10 signature_id=1
event 3: dest_ip=10.10.10.10 signature_id=2

results after search would only give me the unique value for event 3

sundareshr · ‎10-19-2016

Try the dedup command

base search | dedup dest_ip signature_id

https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Dedup

UPDATED

base search | eventstats count by dest_ip signature_id | where count=1

tnoelOTS · ‎10-19-2016

The Dedup command is not working for this application because it returns 1 of the results that had a duplicate value so in my example above dedup gives me Event 1 and event 3 I want to only get event 3 from the search results.

aaraneta_splunk · ‎12-01-2016

@tnoelOTS - Did sundareshr's updated search provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

sundareshr · ‎10-19-2016

Try the updated search

gokadroid · ‎10-19-2016

Updated search should work.

How to filter out all events that have duplicate values from my search results?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

How to filter out all events that have duplicate values from my search results?

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!