Splunk Search

Using dedup with multiple fields

tmontney
Builder

I can do the following separately, and I get the results I want.

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name

I'm having trouble combining the two.

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

View solution in original post

somesoni2
Revered Legend

This should do it

 index="wineventlog" (EventIdentifier="4624") OR ( EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*")) | eval dedupfield=if(EventIdentifier="4624", ComputerName,  New_Process_Name) | dedup dedupfield

woodcock
Esteemed Legend

It really depends on what you are trying to do (your question is too vague). Try this:

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search
   index="wineventlog" EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*") | dedup New_Process_Name]

Or this:

 index="wineventlog" (EventIdentifier="4624" OR (EventIdentifier="4688" AND (New_Process_Name="*word.exe*" OR New_Process_Name="*excel.exe*" OR New_Process_Name="*outlook.exe*"))) | dedup ComputerName New_Process_Name

View solution in original post

tmontney
Builder

You need ...| append [**search** index ...]

0 Karma

woodcock
Esteemed Legend

Yes, fixed. now.

0 Karma

tmontney
Builder

As I said, I want to combine the two searches. I don't know how I can make it any more specific than that.

First throws an error ("unknown command index") and second only matches event 4688.

0 Karma

peters1901
Explorer

use comma to combine multiple dedup fields .

dedup Computer_Name,New_Process_Name

tmontney
Builder

Same results as using woodcock's answer. I only get results for event 4688.

0 Karma

sundareshr
Legend

What results are you looking for?

0 Karma

gcusello
SplunkTrust
SplunkTrust

did you tried with the "append" command?
Bye.
Giuseppe

gcusello
SplunkTrust
SplunkTrust

index="wineventlog" EventIdentifier="4624" | dedup ComputerName
| append [ search index="wineventlog" EventIdentifier="4688" (New_Process_Name="word.exe" OR New_Process_Name="excel.exe" OR New_Process_Name="outlook.exe") | dedup New_Process_Name]

are you sure that the searches have results? I trided on my Splunk and I have the addition of the two searches

Bye.
Giuseppe

0 Karma

tmontney
Builder

They did. As I said in my OP, both searches on their own produce results.

0 Karma

tmontney
Builder

Just now got append working.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!