Refine your search:

hide the duplicate events

0

Hello,

I have 2 sources of events with "almost" the same framework and some of them reference the same event with the same content. I want to hide in my search the events which matchs between the both sources for seeing only the single events. I don't know what kind of function i have to use to do that (dedup, correlate ????)

Here is a single event from the 2 differents sources

Event in source 1

Jan  5 14:11:09 10.233.118.0 Jan  5 14:11:09 LX2AW8DSY CEF:0|Trend Micro|OfficeScan Intrusion Defense Firewall|6.1.0.69|1004371|Mozilla Firefox Obfuscated URLs Within Iframes Vulnerability|6|dmac=F0:DE:F1:18:58:49 smac=00:21:55:EF:8F:FF src=10.5.69.50 dst=10.233.118.0 in=1414 proto=TCP spt=8080 dpt=63034 cs2=0x00 ACK cnt=1 act=IDS:Log cn3=503 cs5=761296 cs1=Obfuscated_URL_i cs6=8

Event in source 2

1/5/2012 14:11,LX2AW8DSY,DPI Rule: 1004371 - Mozilla Firefox Obfuscated URLs Within Iframes Vulnerability,Web Client Mozilla FireFox,Detect Only: Log,25,Reverse Flow,F0:DE:F1:18:58:49,TCP,ACK,10.5.69.50,00:21:55:EF:8F:FF,8080,10.233.118.0,F0:DE:F1:18:58:49,63034,1400,"""Obfuscated URL i""",0,0,,1,

I know i can use the date, hours, minutes and type of event to check if there's a duplicate, doing a dedup of the 2 events and hide it.

How could i do that ?

thanks

asked 06 Jan '12, 07:02

rbw78's gravatar image

rbw78
15018
accept rate: 0%

2 Answers:
oldestnewestmost voted
-1

Use dedup with the fields you want to dedup on as arguments. So for instance if you have a field rule in both events and want to filter multiple events within the same day of the month, hour and minute, you would do:

... | dedup rule date_mday date_hour date_minute

EDIT: Sorry, I see now that I misunderstood your question, I didn't realize you wanted to remove BOTH events. For that I would advise you to use transaction in a similar way:

... | transaction rule maxspan=1m | search eventcount=1

This will remove all transactions which have more than one event (i.e. the ones with duplicate messages).

link

answered 06 Jan '12, 11:07

Ayn's gravatar image

Ayn
26.0k3717
accept rate: 41%

edited 07 Jan '12, 00:49

1

Dedup is still going to return one of the events though. If you want to return only those events that are not in both sets, you could:

Perform a search taht returns both event types in the same result set. Add a field to each event that identifies what "type" or source each event comes from. Maybe | eval type1=if(index=1, "TRUE", "FALSE") | eval type2=if(index=2, "TRUE", "FALSE") |. Then use the transaction command to merge similar events into a single event. Finally, add | where NOT (type1=TRUE AND type2=TRUE) to the end of the search string.

link

answered 06 Jan '12, 12:58

rtadams89's gravatar image

rtadams89
44925
accept rate: 34%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×47
×12
×4

Asked: 06 Jan '12, 07:02

Seen: 1,365 times

Last updated: 07 Jan '12, 00:49

Related questions

duplicate feed = duplicate events?

How to remove duplicate events in search results without using DEDUP

Hiding the "Manage Apps..." menu.

access_combined hide certain useragents

Hide/contract the drilldown table

Can I hide a module on page load

How to hide time without values in timechart

Deduping and colourizing transaction results

Switcher, hide children while loading

Copyright © 2005-2012 Splunk Inc. All rights reserved.