Solved: getting duplicate fields from splunk result

ektasiwani · ‎08-31-2015

Hi,

My requirement is to find is same pair of source and ip addresses are being used.
for example if this is my table

src_ip ,dest_ip,action
192.168.10.2,192.168.10.3,block
192.168.10.21,192.168.10.13,block
192.168.10.2,192.168.10.3,allow

i want as a result:
192.168.10.2,192.168.10.3,allow
192.168.10.2,192.168.10.3,block

How to achieve this?

Thanks

tom_frotscher · ‎08-31-2015

Hi,

you can use the dedup command:

... | dedup src_ip dest_ip action

or you can use stats:

... | stats count by src_ip dest_ip action | fields -count

If possible, you should use stats, it should be faster than dedup. But without further ado, after a stats you only have the fields left, that you used in your by clause.

Greetings

Tom

View solution in original post

chanmi2 · ‎09-01-2015

you may try this:

... | eventstats count by src_ip ,dest_ip | where count = 2

tom_frotscher · ‎08-31-2015

Hi,

you can use the dedup command:

... | dedup src_ip dest_ip action

or you can use stats:

... | stats count by src_ip dest_ip action | fields -count

If possible, you should use stats, it should be faster than dedup. But without further ado, after a stats you only have the fields left, that you used in your by clause.

Greetings

Tom

getting duplicate fields from splunk result

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life