Solved: help with splunk dedup

vinchakov_a · ‎07-08-2014

Hello, please help me. How I can dedup this:

Jul  8 07:58:01 host crond[7597]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:56:01 host crond[7595]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:55:01 host crond[7586]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:54:01 host crond[7540]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:52:01 host crond[7486]: pam_unix(crond:account): password for user post_sender will expire in 2 days

I tried to make dedup _raw but they differ on timestamp

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

View solution in original post

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

vinchakov_a · ‎07-08-2014

thnx!! good

help with splunk dedup

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Join the Conversation

help with splunk dedup

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...