Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

using dedup with multiple attributes

isesiem
New Member
‎10-06-2013 11:38 PM

is it possible to use dedup to more than 1 attribute,,

this is my search
| dedup Object_Name

i want to add another argument like this
| dedup (Object_Name AND time)

if it is possible please provide me with the syntax

Tags (1)
0 Karma
Reply

waruike
Engager
‎11-29-2020 11:40 PM

The Command 

dedup field1,field2

works okay if you have fields in fields one that are similar and fields in fields 3 which are also similar

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-06-2013 11:52 PM

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

Yes, adding more fields as arguments to dedup will filter events to only show unique combinations of field values. E.g. if you have a log that contains logins from your users (userA and userB), with possible outcomes of 'failed' and 'success';

sourcetype=mylogin | dedup user, status | table user, status

user    status
userA   success
userB   failed
userB   success
userA   failed

Adding a time element to the dedup may produce more events than you want, since time will likely differ over time, so-to-speak. Thus you might want to use the built-in fields like date_hour etc, or make use of the bucket command before the dedup.

Hope this helps,

Kristian

Reply

kristian_kolb
Ultra Champion
‎10-07-2013 03:32 AM

then perhaps something like the following;

your base search | eval access_time = strftime(_time, "%F %T")| chart list(access_time) over Object_Name by UserID

no dedup in this case.

0 Karma
Reply

mendesjo
Path Finder
‎05-18-2016 02:55 PM

nope doesn't work..

0 Karma
Reply

isesiem
New Member
‎10-07-2013 02:43 AM

i want to monitor all the files in ( Shared Folder ) to see who deleted , updated , tried to access and opened any file

i succeeded in all of the above except the file open event

when someone opens a file i get multiple events even though all i want is 1 event saying that a person opened a file and the file name is C://..

using dedup by object name solved the problem and got only 1 event per file open,, but introduced another problem that if a user opened a file multiple time it will only count as 1 time ,,, that's why i want to add the time event to the dedup condition

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-07-2013 01:25 AM

The solution? It depends on what you want to show. Perhaps you want to look into stats or timechart, e.g.

...| stats values(Object_Name) by UserID, date_mday
or
...| timechart span=1h list(Object_Name) by UserID

The possibilities are endless. Please provide a more detailed description of your desired output.

0 Karma
Reply

isesiem
New Member
‎10-07-2013 12:32 AM

i am searching for file opened this is my search

EventCode=4656 Object_Type=File | dedup Object_Name

it works excellent but there is a problem that when i open the file more than onece in the last week it will only show me 1 event ,,

that's why i want to add the time with the object name ,, but like you said it gave me more result than i want,,

so what is the solution

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...