Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why does dedup not return any results?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does dedup not return any results?
Scan001
Explorer
06-08-2015
08:20 AM
Below is an example of a log file I'm trying to analyse (thousands of entries). I wish to remove duplicate entries based on the Acct-Session-Id. So I'm using dedup e.g.: source="file1" dedup Acct-Session-Id
What I get is; "No results found."
Is there something I'm missing? I have tried all suggestions on this forum.
Sun Jun 2 23:54:41 2014
Packet-Type = Access-Request
Acct-Session-Id = "6885EAB8-8056F22CA0AB-0000016600"
Calling-Station-Id = "80-xx-xx-2xx-xx-AB"
Called-Station-Id = "00-xx-xx-75-86-D0"
Vendor-388-Attr-2 = 0xxxx475726f616d
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chimell
Motivator
06-08-2015
09:23 AM
hi Scan001
Try search code with uniq command
source="file1" |table Acct-Session-Id| uniq
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scan001
Explorer
06-08-2015
09:34 AM
Thanks Chimell,
Unfortunately that returns all records and drops none of the duplicates.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gyslainlatsa
Motivator
06-08-2015
08:24 AM
hi,
we must put the pipe before using dedup because dedup is a command
dedup Removes the events which contain an identical combination of values for selected fields.
Also check if the field acc-session_id used by dedup appears in highlight the results.
because if acc-session_id is a field, it will not work.
check and let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scan001
Explorer
06-08-2015
08:27 AM
Hey,
Thanks for quick answer, I have tried it with and without the pipe. It does try and run when I use the pipe but returns zero results.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scan001
Explorer
06-08-2015
09:10 AM
Hey.
Okay I don't understand the second part of your answer. This may be the source of my problem. What do you mean
" if the field acc-session_id used by dedup appears in highlight the results. because if acc-session_id is a field....."
Apologise if this is a very basic question, I'm a newbe and I'm just getting the hang of the language..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gyslainlatsa
Motivator
06-08-2015
09:34 AM
I just ask to check if the Acct-Session-id field appears in the events and if multiple values
try this query: source="file1" |table Acct-Session-Id |dedup Acct-Session-Id an let me know if you have the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scan001
Explorer
06-08-2015
03:40 PM
Yes, it is in every record. I tried your suggestion, but the duplicates are not filtered out, the complete set is returned.
Frustrating!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gyslainlatsa
Motivator
06-08-2015
08:36 AM
when you remove dedup, you have the results?
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
