https://community.splunk.com/t5/Splunk-Search/Lookup-Tables-Dedup/m-p/493165#M137540 <P>Hello,<BR /> I Googled and checked several answer posts, but perhaps I am not wording it correctly in the search engines.</P> <P>I have a lookup table and I want to remove duplicates from the table itself. Not just when the table is being used.<BR /> There are 3 fields: <STRONG>ACCT</STRONG>, <STRONG>AUID</STRONG>, <STRONG>ADDR</STRONG>.<BR /> It is quite possible that a user may login from another PC, so I need to keep entries where the <STRONG>ACCT</STRONG> and <STRONG>AUID</STRONG> are the same but the <STRONG>ADDR</STRONG> is different. I using <EM>append=true</EM> in my <EM>outputlookup</EM> command to add new entries. Issue is, all entries are being added to the lookup, including those containing duplicate values of those 3 fields.<BR /> Here is my SPL (which is running in a dashboard).</P> <PRE><CODE>index="linuxevents" AND host=rub.us AND source="/var/log/audit/audit.log" AND acct="$userId_tok$" | stats count by acct, auid, addr | fields acct, auid, addr | head limit=0 | table acct, auid, addr --&gt; | rename acct AS ACCT, auid AS AUID, addr AS ADDR | table ACCT, AUID, ADDR | outputlookup myAAAlookup.csv append=true </CODE></PRE> <P>I am aware that I can run this to remove duplicates at search time.</P> <PRE><CODE>| inputlookup myAAAlookup.csv | dedup ACCT,AUID,ADDR | outputlookup myAAAlookup.csv append=true </CODE></PRE> <P>However, I want to remove all duplicate entries from the lookup table itself. The table should contain only 5 rows at this time of testing. Instead, there are over 300 duplicate rows, and growing each time the dashboard is run.</P> <P>Thanks and God bless,<BR /> Genesius</P> Fri, 04 Oct 2019 21:00:11 GMT genesiusj 2019-10-04T21:00:11Z https://community.splunk.com/t5/Splunk-Search/Lookup-Tables-Dedup/m-p/493165#M137540 <P>Hello,<BR /> I Googled and checked several answer posts, but perhaps I am not wording it correctly in the search engines.</P> <P>I have a lookup table and I want to remove duplicates from the table itself. Not just when the table is being used.<BR /> There are 3 fields: <STRONG>ACCT</STRONG>, <STRONG>AUID</STRONG>, <STRONG>ADDR</STRONG>.<BR /> It is quite possible that a user may login from another PC, so I need to keep entries where the <STRONG>ACCT</STRONG> and <STRONG>AUID</STRONG> are the same but the <STRONG>ADDR</STRONG> is different. I using <EM>append=true</EM> in my <EM>outputlookup</EM> command to add new entries. Issue is, all entries are being added to the lookup, including those containing duplicate values of those 3 fields.<BR /> Here is my SPL (which is running in a dashboard).</P> <PRE><CODE>index="linuxevents" AND host=rub.us AND source="/var/log/audit/audit.log" AND acct="$userId_tok$" | stats count by acct, auid, addr | fields acct, auid, addr | head limit=0 | table acct, auid, addr --&gt; | rename acct AS ACCT, auid AS AUID, addr AS ADDR | table ACCT, AUID, ADDR | outputlookup myAAAlookup.csv append=true </CODE></PRE> <P>I am aware that I can run this to remove duplicates at search time.</P> <PRE><CODE>| inputlookup myAAAlookup.csv | dedup ACCT,AUID,ADDR | outputlookup myAAAlookup.csv append=true </CODE></PRE> <P>However, I want to remove all duplicate entries from the lookup table itself. The table should contain only 5 rows at this time of testing. Instead, there are over 300 duplicate rows, and growing each time the dashboard is run.</P> <P>Thanks and God bless,<BR /> Genesius</P> Fri, 04 Oct 2019 21:00:11 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-Tables-Dedup/m-p/493165#M137540 genesiusj 2019-10-04T21:00:11Z https://community.splunk.com/t5/Splunk-Search/Lookup-Tables-Dedup/m-p/493166#M137541 <P>Add the inputlookup command to your saved search to dedup before you output. <BR /> Run it without the outputlookup command first for testing purposes. </P> <PRE><CODE>index="linuxevents" AND host=rub.us AND source="/var/log/audit/audit.log" AND acct="$userId_tok$" | stats count as _count by acct, auid, addr | rename acct AS ACCT, auid AS AUID, addr AS ADDR | inputlookup myAAAlookup.csv append=true | dedup ACCT AUID ADDR | outputlookup myAAAlookup.csv append=true </CODE></PRE> Fri, 04 Oct 2019 21:41:47 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-Tables-Dedup/m-p/493166#M137541 cmerriman 2019-10-04T21:41:47Z https://community.splunk.com/t5/Splunk-Search/Lookup-Tables-Dedup/m-p/493167#M137542 <P>@cmerriman <BR /> Thank you for your reply.<BR /> I have a couple of questions.</P> <OL> <LI>What is <STRONG>_count</STRONG>?</LI> <LI>I understand "<STRONG>append=true</STRONG>" for <STRONG>inputlookup</STRONG>. Why is it used on the <STRONG>outputlookup</STRONG>?</LI> </OL> <P>Thanks and God bless,<BR /> Genesius</P> Tue, 08 Oct 2019 19:14:52 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-Tables-Dedup/m-p/493167#M137542 genesiusj 2019-10-08T19:14:52Z