- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Reporting search returns duplciate entries ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2019 12:19 PM
Hi team
I have a custom search where I am looking for any modifications doen by the admins but the respults are shown up as duplcate always, this is critical for me as I am counting the modification made and is really important for me to have only uniq resoluts. I have the impresion the comand "| uniq" does not work anymore as expected.
Search string:
sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted ) Admin!=admin | uniq
Resoults of search:
Re: Reporting search returns duplciate entries ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2019 12:41 AM
Maybe to highlite; I am using 8.4.4 NIOS and when I try to replicate same on 8.4.3 I dont get duplicate entries !!
Re: Reporting search returns duplciate entries ?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2019 12:01 PM
Hi,
1. Unfortunately the picture which you have attached does not display any results.
2. You are searching the audit log index for additions/modifications/deletions performed by users other than admin. I do not expect this data to contain exact duplicate events. Such as an admin\user deleting\creating the same exact record with the same exact rdata and name twice.
3. I currently only have 8.4.2 and 8.4.3, so unfortunately I have not reviewed this in 8.4.4 but nothing significant has changed from the Splunk perspective, in these versions.
4. Your are not using any transforming commands in your search and it would therefore return raw events.
5. Could you try the below and see if it works?
sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted ) Admin!=admin |table Admin, Action |uniq
6. Please note that the uniq command only removes a search result if that result is an exact duplicate of the previous result.
ie; If the output of your search is the below, it will not remove anything.
Admin Action
user1 Deleted
user1 Created
user1 Deleted
7. Consider using 'dedup'
sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted ) Admin!=admin |table Admin, Action |dedup Admin, Action
Let me know if this helps.
Best Regards,
Bibin Thomas