Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

remove duplicate or similar event in a trasaction command from the search

amir_thales
Path Finder
‎01-05-2018 07:56 AM

Hello Everybody,

I want to remove similar event which are in a transaction command.

In my case, I want to merge the eventcode 4663 similar so that only 1 eventcode 4663

Be careful, there are event code 4663 that are not similar so there will be 2 event code 4663 in this case.

Here is my request which display the result below:

host="XXXX" "eventcode=4663" OR "eventcode=7036" | transaction startswith="*running state." endswith="*stopped state."

i try dedup but without success.

Thank you
Amir

alt text

Tags (1)
Preview file
45 KB
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-05-2018 08:16 AM

Hi @amir_thales,

I'm uncleared about your requirement.

Meanwhile can you please try mvdedup?

host="XXXX" "eventcode=4663" OR "eventcode=7036" | transaction startswith="*running state." endswith="*stopped state." | eval eventcode=mvdedup(eventcode).

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/MultivalueEvalFunctions#mvde...

Thanks

0 Karma
Reply

amir_thales
Path Finder
‎01-08-2018 01:54 AM

Hello @kamlesh_vaghela and everybody,

The solution you proposed to me does not work.

I want to merge the same events which are between eventcode="7036", i want to merge all duplicates so that only one eventcode = "4663" remains.

But i want to do a difference between eventcode="4663" there are message where the eventcode is 4663 but the message is different and i want to merge duplicate and only display a message of each.

for example 1:

eventcode"7336"
eventcode"4663" -> message A
eventcode"4663" -> message A ---> here i want to merge eventcode"4663"so that there is only one left because these events are the same.
eventcode"4663" -> message A
eventcode"7336"

example 2:

eventcode"7336"
eventcode"4663" -> message A
eventcode"4663" -> message A ---> here i want to merge eventcode"4663"->message A so that there is only one left because these events are the same.
eventcode"4663" -> message B ---> here i want to remove one eventcode"4663"->message B so that there is only one left because these events are the same
eventcode"4663" -> message B
eventcode"7336"

thank you

Amir

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-08-2018 05:05 AM

Hi @amir_thales,
Can you please share sample events?

0 Karma
Reply

amir_thales
Path Finder
‎01-08-2018 05:13 AM

@kamlesh_vaghela,

i put a sample in my first post.

i have 3 eventcode"4663" and i want to merge them.

Maybe, i must do something before to do the "transaction" but i don't know any function which merge similar events.

thank you

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-08-2018 05:57 AM

Hi
Can you please try this ?

sourcetype="WinEventLog:Security"  "EventCode=4663" OR "EventCode=7036"
| rex field=_raw "EventCode=(?<EventRaw>.*)" max_match=0
| eval EventRaw=mvdedup(EventRaw) 
| table _time EventRaw
0 Karma
Reply

amir_thales
Path Finder
‎01-08-2018 06:06 AM

@kamlesh_vaghela,

This request display me a table which list all eventcode"4663".

So i want just merge the eventcode"4663" which are between the eventcode"7036".

I just read the different evencode'4663' and I noticed that the eventcodes "4663" were not identical because the application that executes is different.

So much for me and thank you for your help.

If you know a function or a way of answering the original question even if my problem is solved it would not be a refusal, so it will be useful for me in the future.

Thank you
Amir

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...