Solved: help with splunk dedup

vinchakov_a · ‎07-08-2014

Hello, please help me. How I can dedup this:

Jul  8 07:58:01 host crond[7597]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:56:01 host crond[7595]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:55:01 host crond[7586]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:54:01 host crond[7540]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:52:01 host crond[7486]: pam_unix(crond:account): password for user post_sender will expire in 2 days

I tried to make dedup _raw but they differ on timestamp

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

View solution in original post

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

vinchakov_a · ‎07-08-2014

thnx!! good

help with splunk dedup

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!