Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

hide the duplicate events

rbw78
Communicator
‎01-06-2012 07:02 AM

Hello,

I have 2 sources of events with "almost" the same framework and some of them reference the same event with the same content.
I want to hide in my search the events which matchs between the both sources for seeing only the single events.
I don't know what kind of function i have to use to do that (dedup, correlate ????)

Here is a single event from the 2 differents sources

Event in source 1

Jan  5 14:11:09 10.233.118.0 Jan  5 14:11:09 LX2AW8DSY CEF:0|Trend Micro|OfficeScan Intrusion Defense Firewall|6.1.0.69|1004371|Mozilla Firefox Obfuscated URLs Within Iframes Vulnerability|6|dmac=F0:DE:F1:18:58:49 smac=00:21:55:EF:8F:FF src=10.5.69.50 dst=10.233.118.0 in=1414 proto=TCP spt=8080 dpt=63034 cs2=0x00 ACK cnt=1 act=IDS:Log cn3=503 cs5=761296 cs1=Obfuscated_URL_i cs6=8

Event in source 2

1/5/2012 14:11,LX2AW8DSY,DPI Rule: 1004371 - Mozilla Firefox Obfuscated URLs Within Iframes Vulnerability,Web Client Mozilla FireFox,Detect Only: Log,25,Reverse Flow,F0:DE:F1:18:58:49,TCP,ACK,10.5.69.50,00:21:55:EF:8F:FF,8080,10.233.118.0,F0:DE:F1:18:58:49,63034,1400,"""Obfuscated URL i""",0,0,,1,

I know i can use the date, hours, minutes and type of event to check if there's a duplicate, doing a dedup of the 2 events and hide it.

How could i do that ?

thanks

Tags (3)
0 Karma
Reply

rtadams89
Contributor
‎01-06-2012 12:58 PM

Dedup is still going to return one of the events though. If you want to return only those events that are not in both sets, you could:

Perform a search taht returns both event types in the same result set. Add a field to each event that identifies what "type" or source each event comes from. Maybe | eval type1=if(index=1, "TRUE", "FALSE") | eval type2=if(index=2, "TRUE", "FALSE") |. Then use the transaction command to merge similar events into a single event. Finally, add | where NOT (type1=TRUE AND type2=TRUE) to the end of the search string.

Reply

Ayn
Legend
‎01-06-2012 11:07 AM

Use dedup with the fields you want to dedup on as arguments. So for instance if you have a field rule in both events and want to filter multiple events within the same day of the month, hour and minute, you would do:

... | dedup rule date_mday date_hour date_minute

EDIT: Sorry, I see now that I misunderstood your question, I didn't realize you wanted to remove BOTH events. For that I would advise you to use transaction in a similar way:

... | transaction rule maxspan=1m | search eventcount=1

This will remove all transactions which have more than one event (i.e. the ones with duplicate messages).

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...