Can you list time-unique events as one event if ce...

d648777 · ‎02-06-2019

Hi,

I'm a complete novice to Splunk, so forgive me if the following is basic/doesn't make sense. I'm trying to reduce noise in the extracted results of a search by identifying and matching data in fields from time-unique events and grouping them/ listing them as one event if the criteria matches (i.e. if (fieldA, fieldB, fieldC) are the same between dateTime1 and dateTime2 for event_a and event_b (or any additional events), then list/table as a single event).

Hoping someone can help or point me in the right direction.

Thanks!

vishaltaneja070 · ‎02-06-2019

Hello @d648777

I think you are talking about removing duplicate when you are running the search based on fields fieldA, fieldB and FieldC.

You can use dedup command to achieve this like <your_search> | dedup fieldA, fieldB, fieldC

d648777 · ‎02-06-2019

Thanks for your answer! This is in the direction, but I'm trying to set a time-frame constraint in the sense that if fieldA, fieldB and fieldC are the same for event_a and event_ b in a 5 minute time period, list/table as one event; however, if fieldA, fieldB and fieldC are the same in event_a and event_b and the time difference between event_a and event_b is greater than 5 minutes, table them as separate events.

vishaltaneja070 · ‎02-06-2019

@d648777

Something like this can work for you:

    index=*  | eventstats latest(_time) as lat , earliest(_time) as ear | eval Diff= lat - ear +1  | search Diff > 300 
     |append [search index=*  | eventstats latest(_time) as lat , earliest(_time) as ear | eval Diff= lat - ear +1 |dedup fieldA, fieldB, fieldC | search Diff < 300]

Can you list time-unique events as one event if certain fields match?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!