Solved: help with splunk dedup

vinchakov_a · ‎07-08-2014

Hello, please help me. How I can dedup this:

Jul  8 07:58:01 host crond[7597]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:56:01 host crond[7595]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:55:01 host crond[7586]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:54:01 host crond[7540]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:52:01 host crond[7486]: pam_unix(crond:account): password for user post_sender will expire in 2 days

I tried to make dedup _raw but they differ on timestamp

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

View solution in original post

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

vinchakov_a · ‎07-08-2014

thnx!! good

help with splunk dedup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation