Solved: Re: help with splunk dedup

vinchakov_a · ‎07-08-2014

Hello, please help me. How I can dedup this:

Jul  8 07:58:01 host crond[7597]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:56:01 host crond[7595]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:55:01 host crond[7586]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:54:01 host crond[7540]: pam_unix(crond:account): password for user post_sender will expire in 2 days
Jul  8 07:52:01 host crond[7486]: pam_unix(crond:account): password for user post_sender will expire in 2 days

I tried to make dedup _raw but they differ on timestamp

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

View solution in original post

gfuente · ‎07-08-2014

Hello

Maybe you´ll prefer to use the cluster command

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Cluster

Regards

vinchakov_a · ‎07-08-2014

thnx!! good

help with splunk dedup

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

help with splunk dedup

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...