Solved: Using dedup with multiple fields

tmontney · ‎07-05-2016

I can do the following separately, and I get the results I want.

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name

I'm having trouble combining the two.

woodcock · ‎07-06-2016

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

View solution in original post

somesoni2 · ‎07-06-2016

This should do it

 index="wineventlog" (EventIdentifier="4624") OR ( EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*")) | eval dedupfield=if(EventIdentifier="4624", ComputerName,  New_Process_Name) | dedup dedupfield

woodcock · ‎07-06-2016

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

tmontney · ‎07-06-2016

You need ...| append [**search** index ...]

woodcock · ‎07-06-2016

Yes, fixed. now.

tmontney · ‎07-06-2016

As I said, I want to combine the two searches. I don't know how I can make it any more specific than that.

First throws an error ("unknown command index") and second only matches event 4688.

peters1901 · ‎07-05-2016

use comma to combine multiple dedup fields .

dedup Computer_Name,New_Process_Name

tmontney · ‎07-06-2016

Same results as using woodcock's answer. I only get results for event 4688.

sundareshr · ‎07-05-2016

What results are you looking for?

gcusello · ‎07-05-2016

did you tried with the "append" command?
Bye.
Giuseppe

gcusello · ‎07-06-2016

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search index="wineventlog" EventIdentifier="4688" (New_Process_Name="word.exe" OR New_Process_Name="excel.exe" OR New_Process_Name="outlook.exe") | dedup New_Process_Name]

are you sure that the searches have results? I trided on my Splunk and I have the addition of the two searches

Bye.
Giuseppe

tmontney · ‎07-06-2016

They did. As I said in my OP, both searches on their own produce results.

tmontney · ‎07-06-2016

Just now got append working.

Using dedup with multiple fields

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies