https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514510#M144404 <P>I have a saved search which runs every month and looks at my vulnerability events and outputs the results into a lookup table. I am deduping the "Plugin ID" value so that I am only getting unique vulnerabilities in my lookup table.&nbsp; I have also added 3 extra columns to the lookup table, but the search results from the saved search will not have these columns .&nbsp; I'm struggling with how to retain the values of those columns while still appending new results to the table. The search below that I have tried, is retaining the extra columns but it is duplicating the results each time the search is run.&nbsp;&nbsp;</P><P>I've tried not using the append=t with the outputlookup but that just replaces my whole lookup table and deletes the extra columns that I need in there.&nbsp;</P><P>Is there any other way that I can use outputlookup and retain the extra columns but still deduping the plugin ID? Thank you!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| stats values(state) as State, values(severity) as Severity, values(tags) as "Tags", values(plugin.name) as "Plugin Name", values(plugin_publication_date) as "Plugin Publication Date", count by plugin_id | rename plugin_id as "Plugin ID", count as "Total Hosts" | eval Severity=lower(Severity) | sort num(Severity), -num("Total Hosts") | inputlookup Vulnerabilities append=t | dedup "Plugin ID" | outputlookup Vulnerabilities append=t</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Mon, 17 Aug 2020 18:20:46 GMT tromero3 2020-08-17T18:20:46Z https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514510#M144404 <P>I have a saved search which runs every month and looks at my vulnerability events and outputs the results into a lookup table. I am deduping the "Plugin ID" value so that I am only getting unique vulnerabilities in my lookup table.&nbsp; I have also added 3 extra columns to the lookup table, but the search results from the saved search will not have these columns .&nbsp; I'm struggling with how to retain the values of those columns while still appending new results to the table. The search below that I have tried, is retaining the extra columns but it is duplicating the results each time the search is run.&nbsp;&nbsp;</P><P>I've tried not using the append=t with the outputlookup but that just replaces my whole lookup table and deletes the extra columns that I need in there.&nbsp;</P><P>Is there any other way that I can use outputlookup and retain the extra columns but still deduping the plugin ID? Thank you!</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| stats values(state) as State, values(severity) as Severity, values(tags) as "Tags", values(plugin.name) as "Plugin Name", values(plugin_publication_date) as "Plugin Publication Date", count by plugin_id | rename plugin_id as "Plugin ID", count as "Total Hosts" | eval Severity=lower(Severity) | sort num(Severity), -num("Total Hosts") | inputlookup Vulnerabilities append=t | dedup "Plugin ID" | outputlookup Vulnerabilities append=t</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Mon, 17 Aug 2020 18:20:46 GMT https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514510#M144404 tromero3 2020-08-17T18:20:46Z https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514516#M144406 <LI-CODE lang="markup">| stats values(state) as State, values(severity) as Severity, values(tags) as "Tags", values(plugin.name) as "Plugin Name", values(plugin_publication_date) as "Plugin Publication Date", count by plugin_id | rename plugin_id as "Plugin ID", count as "Total Hosts" | eval Severity=lower(Severity) | sort num(Severity), -num("Total Hosts") | inputlookup Vulnerabilities append=t | stats values(*) by "Plugin ID" | outputlookup Vulnerabilities append=t </LI-CODE><P>&nbsp;</P><P>stats values(*) is just to give you an idea, you can change.</P><P>upvote if my answer solves your problem</P> Mon, 17 Aug 2020 19:10:02 GMT https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514516#M144406 thambisetty 2020-08-17T19:10:02Z https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514524#M144412 <P>Hmm I dont understand.&nbsp; When I do that, all it does is add extra duplicate values in the column for Plugin ID....</P> Mon, 17 Aug 2020 19:31:18 GMT https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514524#M144412 tromero3 2020-08-17T19:31:18Z https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514530#M144415 <P>can you provide csv lookup header.</P> Mon, 17 Aug 2020 19:44:45 GMT https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514530#M144415 thambisetty 2020-08-17T19:44:45Z https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514560#M144428 <P>Plugin ID, State, Severity, Tags, Plugin Name, Plugin Publication Date, Total Hosts, Case Number, Date Submitted, Days Since Submitted</P><P>The last 3 are the values that are not in the search, only lookup table.&nbsp;</P> Mon, 17 Aug 2020 22:31:37 GMT https://community.splunk.com/t5/Splunk-Search/Retain-columns-in-lookup-table-but-not-creating-duplicates/m-p/514560#M144428 tromero3 2020-08-17T22:31:37Z