topic How to output a single result when matching multiple results within a lookup table. in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-output-a-single-result-when-matching-multiple-results/m-p/458636#M6542 <P>I have an application file imported to be used as a lookup table in order to set the priority on servers within Assets and Identity but the file uses risk tiers instead of priorities. To get around this, I have created a risk tier priority lookup table. I can get the priority assign to each server on the list but what I can't seem to accomplish is to have only the server with the highest priority field returned and if there is no defined Risk Tier, I want to auto assign it a low priority. Server names below are in order for visual simplicity.</P> <P>applications_to_servers.csv<BR /> Server,RiskTier,Application<BR /> serverA,0,App1<BR /> serverA,1,App2<BR /> serverB,0,App1<BR /> serverC,2,App3<BR /> serverC,3,App4<BR /> serverD, ,App5</P> <P>risktier_priority.csv<BR /> RiskTier,priority<BR /> 0,critical<BR /> 1,high<BR /> 2,medium<BR /> 3,low</P> <P>| inputlookup applications_to_servers.csv <BR /> | lookup risktier_priority.csv RiskTier <BR /> | sort RiskTier<BR /> | fields Server RiskTier priority Application</P> <P>My search result output:<BR /> Server RiskTier Priority Application<BR /> serverA 0 critical App1<BR /> serverA 1 high App2<BR /> serverB 0 critical App1<BR /> serverC 2 medium App3<BR /> serverC 3 low App4<BR /> serverD App5</P> <P>Desired output:<BR /> Server RiskTier Priority Application<BR /> serverA 0 critical App1<BR /> serverB 0 critical App1<BR /> serverC 2 medium App3<BR /> serverD low App5</P> Wed, 30 Sep 2020 00:33:46 GMT edhealea 2020-09-30T00:33:46Z How to output a single result when matching multiple results within a lookup table. https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-output-a-single-result-when-matching-multiple-results/m-p/458636#M6542 <P>I have an application file imported to be used as a lookup table in order to set the priority on servers within Assets and Identity but the file uses risk tiers instead of priorities. To get around this, I have created a risk tier priority lookup table. I can get the priority assign to each server on the list but what I can't seem to accomplish is to have only the server with the highest priority field returned and if there is no defined Risk Tier, I want to auto assign it a low priority. Server names below are in order for visual simplicity.</P> <P>applications_to_servers.csv<BR /> Server,RiskTier,Application<BR /> serverA,0,App1<BR /> serverA,1,App2<BR /> serverB,0,App1<BR /> serverC,2,App3<BR /> serverC,3,App4<BR /> serverD, ,App5</P> <P>risktier_priority.csv<BR /> RiskTier,priority<BR /> 0,critical<BR /> 1,high<BR /> 2,medium<BR /> 3,low</P> <P>| inputlookup applications_to_servers.csv <BR /> | lookup risktier_priority.csv RiskTier <BR /> | sort RiskTier<BR /> | fields Server RiskTier priority Application</P> <P>My search result output:<BR /> Server RiskTier Priority Application<BR /> serverA 0 critical App1<BR /> serverA 1 high App2<BR /> serverB 0 critical App1<BR /> serverC 2 medium App3<BR /> serverC 3 low App4<BR /> serverD App5</P> <P>Desired output:<BR /> Server RiskTier Priority Application<BR /> serverA 0 critical App1<BR /> serverB 0 critical App1<BR /> serverC 2 medium App3<BR /> serverD low App5</P> Wed, 30 Sep 2020 00:33:46 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-output-a-single-result-when-matching-multiple-results/m-p/458636#M6542 edhealea 2020-09-30T00:33:46Z Re: How to output a single result when matching multiple results within a lookup table. https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-output-a-single-result-when-matching-multiple-results/m-p/458637#M6543 <P>Hi,</P> <P>This is one way to do it:</P> <PRE><CODE>| inputlookup applications_to_servers.csv | eventstats min(RiskTier) as mr by Server | where RiskTier=mr OR isnull(mr) | lookup risktier_priority.csv RiskTier | fillnull value="low" priority | table Server RiskTier priority Application </CODE></PRE> <P>The eventstats will keep track of the minimum RiskTier per Server, and the where clause will only keep the ones where the RiskTier is the same as minimum.</P> <P>Hth,<BR /> -Kai.</P> Tue, 14 May 2019 08:12:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-output-a-single-result-when-matching-multiple-results/m-p/458637#M6543 knielsen 2019-05-14T08:12:59Z Re: How to output a single result when matching multiple results within a lookup table. https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-output-a-single-result-when-matching-multiple-results/m-p/458638#M6544 <P>Kai, That works perfectly. Thanks for the help and explanation. -Ed</P> Tue, 14 May 2019 15:37:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-output-a-single-result-when-matching-multiple-results/m-p/458638#M6544 edhealea 2019-05-14T15:37:10Z