I'm looking for a way to dedup a given field for each instance of another field. More specifically:
| eval warningIssued=if(transtype="Show Page" AND failed_policy="OS Patches - Download and Install::OS Patches NOT set to Automatic", 1, 0) | eval nowCompliant=if(compliant_policy="OS Patches - Download and Install::OS Patches set to Automatic",1,0) |
Following this string, I would like to get rid of everything but the earliest event where warningIssued=1 for EACH MAC address, and the earliest event where nowCompliant=1 for EACH MAC address. Is there any way to dedup this way?
I think this could work.
your_search | search warningIssued=1 OR nowCompliant=1 | reverse | dedup MAC warningIssued nowCompliant | whatever_comes_next
but it will be rather slow, since reverse
will not make splunk search oldest-first, it just re-sorts the events once they are all in. If you have a large number of events, or a long time span, this can be quite prohibitive.
The dedup will find the (chronologically, since events are resorted) first unique combinations of MAC
, warningIssued
and nowCompliant
.
This assumes that these fields are present in the events. You might have to add keepempty=true
to the dedup
command, depending on whether all three fields are always present in an event or not. Also I might have misunderstood the documentation.
Hope this helps,
Kristian