Hi Guys,
I have built the Authentication datamodel on the Splunk ES. However I am dealing with a dilemma of duplicate events here.
To explain it in detail:
If an authentication attempt occurs from src **X** to dest **Y**, same event is generated on **X**, **Y** and Domain Controller **A**. I am collecting logs from all the three machines and adding the same into the datamodel. So, when I use **tstats count** against the datamodel, I see 3 events depicting 3 attempts instead of one.
The only way I see out of removing this duplicate is by adding **src** or **host** as an additional separator. If so, I won't be able to monitor the criteria of login failures from multiple sources.
So, I was just wanting to know how you guys are tackling it.
Thanks in advance.
↧
