I’m testing with Splunk but, I got a problem about deduplicate.
I’ve been input different 1000 indicators of IPv4 after deduplicate, there is 750 indicators of IPv4.
below one IP address has a different value but, after deduplicate, I can see only one indicator.
My expectation is that don’t deduplicate or there is multi value for this IP address.
How can I address the issue?
Below picture is from minemeld after deduplicate.
below is original indicator from Splunk. as you can see, 18.104.22.168 has a different values.
Also, I’ve searched configuration document for Prototype. I found miner configuration document but, I couldn’t find out prototype for aggregator and output.
Does anyone has a document for aggregator and output?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!