- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- problem with duplicate event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
problem with duplicate event
Hi,
I have two records that are equal to a value different as do the rest to only show me a record, the first
Also as I do if I want to get only the value Bond1 example of a row and not all fields.
[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
I hope your help, thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this returned in a single event or two separate events? i.e:
event 1 = [1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
event 2 = [1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
or
event 1 = [1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
If these are two events, limit the results of your search to exclude the unwanted event index=your_index "your search criteria" "SERVICE ALERT: oradb4*" etc.
If it is a single event then you can end the event using a transaction index=your_index "your search criteria" "SERVICE ALERT: oradb4*" | transaction endswith="Socket timeout after 10 seconds."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your question is but unclear. If I could understand ur question correctly, all the events are duplicated and you to show/use only 1 event.Correct? If yes, try dedup _raw command.
| dedup _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apology but was entirely clear. these events and I just want one, the first in this case
[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
and in this case, only the first too
[1421755004] SERVICE ALERT: oradb4;Bond1 TX;CRITICAL;SOFT;1;CHECK_NRPE: Socket timeout after 10 seconds.
[1421755004] SERVICE ALERT: nagios;Eth0 TX;WARNING;SOFT;1;WARNING: Uso de eth0 para TX: 11167 kb/s
all those who have the following message: CHECK_NRPE: Socket timeout after 10 seconds.
thanks a lot
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
