Hi Guys,
I have built the Authentication datamodel on the Splunk ES. However I am dealing with a dilemma of duplicate events here.
To explain it in detail:
If an authentication attempt occurs from src X to dest Y, same event is generated on X, Y and Domain Controller A. I am collecting logs from all the three machines and adding the same into the datamodel. So, when I use tstats count against the datamodel, I see 3 events depicting 3 attempts instead of one.
The only way I see out of removing this duplicate is by adding src or host as an additional separator. If so, I won't be able to monitor the criteria of login failures from multiple sources.
So, I was just wanting to know how you guys are tackling it.
Thanks in advance.