Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

using dedup with multiple attributes

isesiem
New Member
‎10-06-2013 11:38 PM

is it possible to use dedup to more than 1 attribute,,

this is my search
| dedup Object_Name

i want to add another argument like this
| dedup (Object_Name AND time)

if it is possible please provide me with the syntax

Tags (1)
0 Karma
Reply

waruike
Engager
‎11-29-2020 11:40 PM

The Command 

dedup field1,field2

works okay if you have fields in fields one that are similar and fields in fields 3 which are also similar

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-06-2013 11:52 PM

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

Yes, adding more fields as arguments to dedup will filter events to only show unique combinations of field values. E.g. if you have a log that contains logins from your users (userA and userB), with possible outcomes of 'failed' and 'success';

sourcetype=mylogin | dedup user, status | table user, status

user    status
userA   success
userB   failed
userB   success
userA   failed

Adding a time element to the dedup may produce more events than you want, since time will likely differ over time, so-to-speak. Thus you might want to use the built-in fields like date_hour etc, or make use of the bucket command before the dedup.

Hope this helps,

Kristian

Reply

kristian_kolb
Ultra Champion
‎10-07-2013 03:32 AM

then perhaps something like the following;

your base search | eval access_time = strftime(_time, "%F %T")| chart list(access_time) over Object_Name by UserID

no dedup in this case.

0 Karma
Reply

mendesjo
Path Finder
‎05-18-2016 02:55 PM

nope doesn't work..

0 Karma
Reply

isesiem
New Member
‎10-07-2013 02:43 AM

i want to monitor all the files in ( Shared Folder ) to see who deleted , updated , tried to access and opened any file

i succeeded in all of the above except the file open event

when someone opens a file i get multiple events even though all i want is 1 event saying that a person opened a file and the file name is C://..

using dedup by object name solved the problem and got only 1 event per file open,, but introduced another problem that if a user opened a file multiple time it will only count as 1 time ,,, that's why i want to add the time event to the dedup condition

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-07-2013 01:25 AM

The solution? It depends on what you want to show. Perhaps you want to look into stats or timechart, e.g.

...| stats values(Object_Name) by UserID, date_mday
or
...| timechart span=1h list(Object_Name) by UserID

The possibilities are endless. Please provide a more detailed description of your desired output.

0 Karma
Reply

isesiem
New Member
‎10-07-2013 12:32 AM

i am searching for file opened this is my search

EventCode=4656 Object_Type=File | dedup Object_Name

it works excellent but there is a problem that when i open the file more than onece in the last week it will only show me 1 event ,,

that's why i want to add the time with the object name ,, but like you said it gave me more result than i want,,

so what is the solution

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top