Hi
I'm currently trying to use splunk to identify when a log is produced with the same line twice (eg below)
Wed 20 12:06:15 ( 3313) E1: [9] Login: "xx" from 127.0.0.1/james
Wed 20 12:06:15 ( 3313) E1: [9] Login: "xx" from 127.0.0.1/james
However much of the same data is found in thosands of other logs that I'm not interested in.
Is there anyway to search for this particularly? The xx would stay the same however the user at the end would change depending on who it was who logged in.
Thanks!
Hi
Thanks for your help but it didn't work sadly. I am searching for the username as the search before the pipe, however its bringing everything up as a count of 1.
Hi
Thanks for your help but it didn't work sadly. I am searching for the username as the search before the pipe, however its bringing everything up as a count of 1.
Give this a try
your base search to find above type of logs | stats count by _raw | where count > 1