Hi,
1. Unfortunately the picture which you have attached does not display any results.
2. You are searching the audit log index for additions/modifications/deletions performed by users other than admin. I do not expect this data to contain exact duplicate events. Such as an admin\user deleting\creating the same exact record with the same exact rdata and name twice.
3. I currently only have 8.4.2 and 8.4.3, so unfortunately I have not reviewed this in 8.4.4 but nothing significant has changed from the Splunk perspective, in these versions.
4. Your are not using any transforming commands in your search and it would therefore return raw events.
5. Could you try the below and see if it works?
sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted ) Admin!=admin |table Admin, Action |uniq
6. Please note that the uniq command only removes a search result if that result is an exact duplicate of the previous result.
ie; If the output of your search is the below, it will not remove anything.
Admin Action
user1 Deleted
user1 Created
user1 Deleted
7. Consider using 'dedup'
sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted ) Admin!=admin |table Admin, Action |dedup Admin, Action
Let me know if this helps.
Best Regards,
Bibin Thomas
3284 
0
