- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- using dedup with multiple attributes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using dedup with multiple attributes
is it possible to use dedup to more than 1 attribute,,
this is my search
| dedup Object_Name
i want to add another argument like this
| dedup (Object_Name AND time)
if it is possible please provide me with the syntax
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Command
dedup field1,field2
works okay if you have fields in fields one that are similar and fields in fields 3 which are also similar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup
Yes, adding more fields as arguments to dedup will filter events to only show unique combinations of field values. E.g. if you have a log that contains logins from your users (userA and userB), with possible outcomes of 'failed' and 'success';
sourcetype=mylogin | dedup user, status | table user, status
user status
userA success
userB failed
userB success
userA failed
Adding a time element to the dedup may produce more events than you want, since time will likely differ over time, so-to-speak. Thus you might want to use the built-in fields like date_hour etc, or make use of the bucket command before the dedup.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then perhaps something like the following;
your base search | eval access_time = strftime(_time, "%F %T")| chart list(access_time) over Object_Name by UserID
no dedup in this case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nope doesn't work..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i want to monitor all the files in ( Shared Folder ) to see who deleted , updated , tried to access and opened any file
i succeeded in all of the above except the file open event
when someone opens a file i get multiple events even though all i want is 1 event saying that a person opened a file and the file name is C://..
using dedup by object name solved the problem and got only 1 event per file open,, but introduced another problem that if a user opened a file multiple time it will only count as 1 time ,,, that's why i want to add the time event to the dedup condition
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution? It depends on what you want to show. Perhaps you want to look into stats or timechart, e.g.
...| stats values(Object_Name) by UserID, date_mday
or
...| timechart span=1h list(Object_Name) by UserID
The possibilities are endless. Please provide a more detailed description of your desired output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am searching for file opened this is my search
EventCode=4656 Object_Type=File | dedup Object_Name
it works excellent but there is a problem that when i open the file more than onece in the last week it will only show me 1 event ,,
that's why i want to add the time with the object name ,, but like you said it gave me more result than i want,,
so what is the solution
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
