Solved: help with splunk dedup

vinchakov_a · ‎07-08-2014

Hello, please help me. How I can dedup this:

Jul  8 07:58:01 host crond[7597]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:56:01 host crond[7595]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:55:01 host crond[7586]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:54:01 host crond[7540]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:52:01 host crond[7486]: pam_unix(crond:account): password for user post_sender will expire in 2 days

I tried to make dedup _raw but they differ on timestamp

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

View solution in original post

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

vinchakov_a · ‎07-08-2014

thnx!! good

help with splunk dedup

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

help with splunk dedup

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases