Splunk Search

Using dedup with multiple fields

tmontney
Builder

I can do the following separately, and I get the results I want.

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name

I'm having trouble combining the two.

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

This should do it

 index="wineventlog" (EventIdentifier="4624") OR ( EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*")) | eval dedupfield=if(EventIdentifier="4624", ComputerName,  New_Process_Name) | dedup dedupfield

woodcock
Esteemed Legend

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

tmontney
Builder

You need ...| append [**search** index ...]

0 Karma

woodcock
Esteemed Legend

Yes, fixed. now.

0 Karma

tmontney
Builder

As I said, I want to combine the two searches. I don't know how I can make it any more specific than that.

First throws an error ("unknown command index") and second only matches event 4688.

0 Karma

peters1901
Explorer

use comma to combine multiple dedup fields .

dedup Computer_Name,New_Process_Name

tmontney
Builder

Same results as using woodcock's answer. I only get results for event 4688.

0 Karma

sundareshr
Legend

What results are you looking for?

0 Karma

gcusello
SplunkTrust
SplunkTrust

did you tried with the "append" command?
Bye.
Giuseppe

gcusello
SplunkTrust
SplunkTrust

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search index="wineventlog" EventIdentifier="4688" (New_Process_Name="word.exe" OR New_Process_Name="excel.exe" OR New_Process_Name="outlook.exe") | dedup New_Process_Name]

are you sure that the searches have results? I trided on my Splunk and I have the addition of the two searches

Bye.
Giuseppe

0 Karma

tmontney
Builder

They did. As I said in my OP, both searches on their own produce results.

0 Karma

tmontney
Builder

Just now got append working.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...