is it possible to use dedup to more than 1 attribute,,
this is my search
| dedup Object_Name
i want to add another argument like this
| dedup (Object_Name AND time)
if it is possible please provide me with the syntax
The Command
dedup field1,field2
works okay if you have fields in fields one that are similar and fields in fields 3 which are also similar
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup
Yes, adding more fields as arguments to dedup
will filter events to only show unique combinations of field values. E.g. if you have a log that contains logins from your users (userA and userB), with possible outcomes of 'failed' and 'success';
sourcetype=mylogin | dedup user, status | table user, status
user status
userA success
userB failed
userB success
userA failed
Adding a time element to the dedup
may produce more events than you want, since time will likely differ over time, so-to-speak. Thus you might want to use the built-in fields like date_hour
etc, or make use of the bucket
command before the dedup
.
Hope this helps,
Kristian
then perhaps something like the following;
your base search | eval access_time = strftime(_time, "%F %T")| chart list(access_time) over Object_Name by UserID
no dedup in this case.
nope doesn't work..
i want to monitor all the files in ( Shared Folder ) to see who deleted , updated , tried to access and opened any file
i succeeded in all of the above except the file open event
when someone opens a file i get multiple events even though all i want is 1 event saying that a person opened a file and the file name is C://..
using dedup by object name solved the problem and got only 1 event per file open,, but introduced another problem that if a user opened a file multiple time it will only count as 1 time ,,, that's why i want to add the time event to the dedup condition
The solution? It depends on what you want to show. Perhaps you want to look into stats
or timechart
, e.g.
...| stats values(Object_Name) by UserID, date_mday
or
...| timechart span=1h list(Object_Name) by UserID
The possibilities are endless. Please provide a more detailed description of your desired output.
i am searching for file opened this is my search
EventCode=4656 Object_Type=File | dedup Object_Name
it works excellent but there is a problem that when i open the file more than onece in the last week it will only show me 1 event ,,
that's why i want to add the time with the object name ,, but like you said it gave me more result than i want,,
so what is the solution