Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Using dedup with multiple fields

tmontney
Builder
‎07-05-2016 03:08 PM

I can do the following separately, and I get the results I want.

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name

I'm having trouble combining the two.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-06-2016 06:43 AM

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-06-2016 07:43 AM

This should do it

 index="wineventlog" (EventIdentifier="4624") OR ( EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*")) | eval dedupfield=if(EventIdentifier="4624", ComputerName,  New_Process_Name) | dedup dedupfield
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-06-2016 06:43 AM

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name
Reply
Solved! Jump to solution

tmontney
Builder
‎07-06-2016 07:41 AM

You need ...| append [**search** index ...]

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-06-2016 08:44 AM

Yes, fixed. now.

0 Karma
Reply
Solved! Jump to solution

tmontney
Builder
‎07-06-2016 07:26 AM

As I said, I want to combine the two searches. I don't know how I can make it any more specific than that.

First throws an error ("unknown command index") and second only matches event 4688.

0 Karma
Reply
Solved! Jump to solution

peters1901
Explorer
‎07-05-2016 11:38 PM

use comma to combine multiple dedup fields .

dedup Computer_Name,New_Process_Name

Reply
Solved! Jump to solution

tmontney
Builder
‎07-06-2016 07:32 AM

Same results as using woodcock's answer. I only get results for event 4688.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-05-2016 04:00 PM

What results are you looking for?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-05-2016 11:35 PM

did you tried with the "append" command?
Bye.
Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2016 07:44 AM

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search index="wineventlog" EventIdentifier="4688" (New_Process_Name="word.exe" OR New_Process_Name="excel.exe" OR New_Process_Name="outlook.exe") | dedup New_Process_Name]

are you sure that the searches have results? I trided on my Splunk and I have the addition of the two searches

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

tmontney
Builder
‎07-06-2016 07:46 AM

They did. As I said in my OP, both searches on their own produce results.

0 Karma
Reply
Solved! Jump to solution

tmontney
Builder
‎07-06-2016 07:40 AM

Just now got append working.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...