Reply

Reporting search returns duplciate entries ?

Techie
Posts: 6
3304     0

Hi team

 

I have a custom search where I am looking for any modifications doen by the admins but the respults are shown up as duplcate always, this is critical for me as I am counting the modification made and is really important for me to have only uniq resoluts. I have the impresion the comand "| uniq" does not work anymore as expected.

 

Search string:

 

sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted ) Admin!=admin | uniq

 

Resoults of search:

 

Untitled.png

 

Re: Reporting search returns duplciate entries ?

Techie
Posts: 6
3305     0

Maybe to highlite; I am using 8.4.4 NIOS and when I try to replicate same on 8.4.3 I dont get duplicate entries !!

Re: Reporting search returns duplciate entries ?

Moderator
Moderator
Posts: 72
3305     0

Hi,

1. Unfortunately the picture which you have attached does not display any results.

2. You are searching the audit log index for additions/modifications/deletions performed by users other than admin. I do not expect this data to contain exact duplicate events. Such as an admin\user deleting\creating the same exact record with the same exact rdata and name twice. 

3. I currently only have 8.4.2 and 8.4.3, so unfortunately I have not reviewed this in 8.4.4 but nothing significant has changed from the Splunk perspective, in these versions.

4. Your are not using any transforming commands in your search and it would therefore return raw events.

 

5. Could you try the below and see if it works?

sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted ) Admin!=admin |table Admin, Action |uniq

 

 

6. Please note that the uniq command only removes a search result if that result is an exact duplicate of the previous result.

ie;
If the output of your search is the below, it will not remove anything.

Admin Action

user1   Deleted
user1   Created
user1   Deleted

 

7. Consider using 'dedup'

sourcetype = ib:audit index = ib_audit | sort - _time | rename TIMESTAMP as "Timestamp" , ADMIN as "Admin" , ACTION as "Action" , OBJECT_TYPE as "Object Type" , OBJECT_NAME as "Object Name" , EXEC_STATUS as "Execution Status" , MESSAGE as "Message" , host as "Member" | search ( Action = Created OR Action = Modified OR Action = Deleted ) Admin!=admin |table Admin, Action |dedup Admin, Action

 

Let me know if this helps.


Best Regards,
Bibin Thomas

Showing results for 
Search instead for 
Did you mean: 

Recommended for You