Splunk Search

Using dedup with multiple fields

tmontney
Builder

I can do the following separately, and I get the results I want.

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name

I'm having trouble combining the two.

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

This should do it

 index="wineventlog" (EventIdentifier="4624") OR ( EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*")) | eval dedupfield=if(EventIdentifier="4624", ComputerName,  New_Process_Name) | dedup dedupfield

woodcock
Esteemed Legend

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

tmontney
Builder

You need ...| append [**search** index ...]

0 Karma

woodcock
Esteemed Legend

Yes, fixed. now.

0 Karma

tmontney
Builder

As I said, I want to combine the two searches. I don't know how I can make it any more specific than that.

First throws an error ("unknown command index") and second only matches event 4688.

0 Karma

peters1901
Explorer

use comma to combine multiple dedup fields .

dedup Computer_Name,New_Process_Name

tmontney
Builder

Same results as using woodcock's answer. I only get results for event 4688.

0 Karma

sundareshr
Legend

What results are you looking for?

0 Karma

gcusello
SplunkTrust
SplunkTrust

did you tried with the "append" command?
Bye.
Giuseppe

gcusello
SplunkTrust
SplunkTrust

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search index="wineventlog" EventIdentifier="4688" (New_Process_Name="word.exe" OR New_Process_Name="excel.exe" OR New_Process_Name="outlook.exe") | dedup New_Process_Name]

are you sure that the searches have results? I trided on my Splunk and I have the addition of the two searches

Bye.
Giuseppe

0 Karma

tmontney
Builder

They did. As I said in my OP, both searches on their own produce results.

0 Karma

tmontney
Builder

Just now got append working.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...