Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

using dedup with multiple attributes

isesiem
New Member
‎10-06-2013 11:38 PM

is it possible to use dedup to more than 1 attribute,,

this is my search
| dedup Object_Name

i want to add another argument like this
| dedup (Object_Name AND time)

if it is possible please provide me with the syntax

Tags (1)
0 Karma
Reply

waruike
Engager
‎11-29-2020 11:40 PM

The Command 

dedup field1,field2

works okay if you have fields in fields one that are similar and fields in fields 3 which are also similar

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-06-2013 11:52 PM

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

Yes, adding more fields as arguments to dedup will filter events to only show unique combinations of field values. E.g. if you have a log that contains logins from your users (userA and userB), with possible outcomes of 'failed' and 'success';

sourcetype=mylogin | dedup user, status | table user, status

user    status
userA   success
userB   failed
userB   success
userA   failed

Adding a time element to the dedup may produce more events than you want, since time will likely differ over time, so-to-speak. Thus you might want to use the built-in fields like date_hour etc, or make use of the bucket command before the dedup.

Hope this helps,

Kristian

Reply

kristian_kolb
Ultra Champion
‎10-07-2013 03:32 AM

then perhaps something like the following;

your base search | eval access_time = strftime(_time, "%F %T")| chart list(access_time) over Object_Name by UserID

no dedup in this case.

0 Karma
Reply

mendesjo
Path Finder
‎05-18-2016 02:55 PM

nope doesn't work..

0 Karma
Reply

isesiem
New Member
‎10-07-2013 02:43 AM

i want to monitor all the files in ( Shared Folder ) to see who deleted , updated , tried to access and opened any file

i succeeded in all of the above except the file open event

when someone opens a file i get multiple events even though all i want is 1 event saying that a person opened a file and the file name is C://..

using dedup by object name solved the problem and got only 1 event per file open,, but introduced another problem that if a user opened a file multiple time it will only count as 1 time ,,, that's why i want to add the time event to the dedup condition

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-07-2013 01:25 AM

The solution? It depends on what you want to show. Perhaps you want to look into stats or timechart, e.g.

...| stats values(Object_Name) by UserID, date_mday
or
...| timechart span=1h list(Object_Name) by UserID

The possibilities are endless. Please provide a more detailed description of your desired output.

0 Karma
Reply

isesiem
New Member
‎10-07-2013 12:32 AM

i am searching for file opened this is my search

EventCode=4656 Object_Type=File | dedup Object_Name

it works excellent but there is a problem that when i open the file more than onece in the last week it will only show me 1 event ,,

that's why i want to add the time with the object name ,, but like you said it gave me more result than i want,,

so what is the solution

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top