Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

using dedup with multiple attributes

isesiem
New Member
‎10-06-2013 11:38 PM

is it possible to use dedup to more than 1 attribute,,

this is my search
| dedup Object_Name

i want to add another argument like this
| dedup (Object_Name AND time)

if it is possible please provide me with the syntax

Tags (1)
0 Karma
Reply

waruike
Engager
‎11-29-2020 11:40 PM

The Command 

dedup field1,field2

works okay if you have fields in fields one that are similar and fields in fields 3 which are also similar

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-06-2013 11:52 PM

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

Yes, adding more fields as arguments to dedup will filter events to only show unique combinations of field values. E.g. if you have a log that contains logins from your users (userA and userB), with possible outcomes of 'failed' and 'success';

sourcetype=mylogin | dedup user, status | table user, status

user    status
userA   success
userB   failed
userB   success
userA   failed

Adding a time element to the dedup may produce more events than you want, since time will likely differ over time, so-to-speak. Thus you might want to use the built-in fields like date_hour etc, or make use of the bucket command before the dedup.

Hope this helps,

Kristian

Reply

kristian_kolb
Ultra Champion
‎10-07-2013 03:32 AM

then perhaps something like the following;

your base search | eval access_time = strftime(_time, "%F %T")| chart list(access_time) over Object_Name by UserID

no dedup in this case.

0 Karma
Reply

mendesjo
Path Finder
‎05-18-2016 02:55 PM

nope doesn't work..

0 Karma
Reply

isesiem
New Member
‎10-07-2013 02:43 AM

i want to monitor all the files in ( Shared Folder ) to see who deleted , updated , tried to access and opened any file

i succeeded in all of the above except the file open event

when someone opens a file i get multiple events even though all i want is 1 event saying that a person opened a file and the file name is C://..

using dedup by object name solved the problem and got only 1 event per file open,, but introduced another problem that if a user opened a file multiple time it will only count as 1 time ,,, that's why i want to add the time event to the dedup condition

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-07-2013 01:25 AM

The solution? It depends on what you want to show. Perhaps you want to look into stats or timechart, e.g.

...| stats values(Object_Name) by UserID, date_mday
or
...| timechart span=1h list(Object_Name) by UserID

The possibilities are endless. Please provide a more detailed description of your desired output.

0 Karma
Reply

isesiem
New Member
‎10-07-2013 12:32 AM

i am searching for file opened this is my search

EventCode=4656 Object_Type=File | dedup Object_Name

it works excellent but there is a problem that when i open the file more than onece in the last week it will only show me 1 event ,,

that's why i want to add the time with the object name ,, but like you said it gave me more result than i want,,

so what is the solution

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top