https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579549#M201948 <P>Hello,&nbsp;&nbsp;<BR />I am using the below query to output which of our Searches/Rules are mapped to which Mitre Technique IDs.</P><P>&nbsp;</P><LI-CODE lang="ruby">| inputlookup mitre_all_rule_technique_lookup | `lookup_technique_tactic_from_rule_name` | search rule_disabled=0 | dedup rule_name, technique_id, rule_disabled</LI-CODE><P>&nbsp;</P><P>The Result is as follows:</P><TABLE border="1"><TBODY><TR><TD width="151px" height="25px">rule_name</TD><TD width="151px" height="25px">tactic_ID</TD><TD width="151px" height="25px">tactic_name</TD><TD width="131px" height="25px">Technique_ID</TD><TD width="171px" height="25px">Tecnique_name</TD></TR><TR><TD width="151px" height="25px">Rule001</TD><TD width="151px" height="25px">TA001</TD><TD width="151px" height="25px">Persistence</TD><TD width="131px" height="25px">T1136</TD><TD width="171px" height="25px">Create Account</TD></TR><TR><TD width="151px" height="47px">Rule001</TD><TD width="151px" height="47px">TA002</TD><TD width="151px" height="47px">Persistence</TD><TD width="131px" height="47px">T1098</TD><TD width="171px" height="47px">Account Manipulation</TD></TR><TR><TD width="151px" height="25px">Rule001</TD><TD width="151px" height="25px">TA008</TD><TD width="151px" height="25px">Defense Evasion</TD><TD width="131px" height="25px">Txxxx</TD><TD width="171px" height="25px">Modify infrastructrue</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>As you can see ,&nbsp; it is showing different entries for&nbsp; the same data in the "<STRONG>rule_name</STRONG>" column .&nbsp; &nbsp;The Rule mentioned in the Rule_name column is mapped to 3 different Tactic_ID ,Technique_IDs etc which is why&nbsp; it shows 3 results for the same rule.&nbsp; How can i consolidate all this ?<BR /><BR />Basically this is the output i want :<BR /><BR /></P><TABLE border="1" width="84.30081113624671%"><TBODY><TR><TD width="16.666666666666668%">rule_name</TD><TD width="16.666666666666668%">tactic_ID</TD><TD width="17.827956989247312%">tactic_name</TD><TD width="15.505376344086022%">Technique_ID</TD><TD width="31.525698807996402%">Technique_name</TD></TR><TR><TD width="16.666666666666668%">Rule001</TD><TD width="16.666666666666668%">TA001<BR />TA002<BR />TA008</TD><TD width="17.827956989247312%">Persistence<BR />Persistence<BR />Defense Evasion</TD><TD width="15.505376344086022%">T1136<BR />T1098<BR />TXXXX</TD><TD width="31.525698807996402%">Create Account<BR />Account Manipulation<BR />Modify infrastructure</TD></TR><TR><TD width="16.666666666666668%">Rule002</TD><TD width="16.666666666666668%">TAxxx<BR />TAXXX</TD><TD width="17.827956989247312%">....</TD><TD width="15.505376344086022%">.....</TD><TD width="31.525698807996402%">......</TD></TR><TR><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="17.827956989247312%">&nbsp;</TD><TD width="15.505376344086022%">&nbsp;</TD><TD width="31.525698807996402%">&nbsp;</TD></TR></TBODY></TABLE><P><BR />If i change my dedup command in the query&nbsp; to:&nbsp;<STRONG>&nbsp; | dedup rule_name&nbsp; ,&nbsp; </STRONG>then it displays only the 1st row&nbsp; of every rule_name and omits the remaining values.<BR /><BR />Pls advise. I am sure this is something very fundamental.<BR /><BR /></P> Thu, 30 Dec 2021 07:43:35 GMT neerajs_81 2021-12-30T07:43:35Z https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579549#M201948 <P>Hello,&nbsp;&nbsp;<BR />I am using the below query to output which of our Searches/Rules are mapped to which Mitre Technique IDs.</P><P>&nbsp;</P><LI-CODE lang="ruby">| inputlookup mitre_all_rule_technique_lookup | `lookup_technique_tactic_from_rule_name` | search rule_disabled=0 | dedup rule_name, technique_id, rule_disabled</LI-CODE><P>&nbsp;</P><P>The Result is as follows:</P><TABLE border="1"><TBODY><TR><TD width="151px" height="25px">rule_name</TD><TD width="151px" height="25px">tactic_ID</TD><TD width="151px" height="25px">tactic_name</TD><TD width="131px" height="25px">Technique_ID</TD><TD width="171px" height="25px">Tecnique_name</TD></TR><TR><TD width="151px" height="25px">Rule001</TD><TD width="151px" height="25px">TA001</TD><TD width="151px" height="25px">Persistence</TD><TD width="131px" height="25px">T1136</TD><TD width="171px" height="25px">Create Account</TD></TR><TR><TD width="151px" height="47px">Rule001</TD><TD width="151px" height="47px">TA002</TD><TD width="151px" height="47px">Persistence</TD><TD width="131px" height="47px">T1098</TD><TD width="171px" height="47px">Account Manipulation</TD></TR><TR><TD width="151px" height="25px">Rule001</TD><TD width="151px" height="25px">TA008</TD><TD width="151px" height="25px">Defense Evasion</TD><TD width="131px" height="25px">Txxxx</TD><TD width="171px" height="25px">Modify infrastructrue</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>As you can see ,&nbsp; it is showing different entries for&nbsp; the same data in the "<STRONG>rule_name</STRONG>" column .&nbsp; &nbsp;The Rule mentioned in the Rule_name column is mapped to 3 different Tactic_ID ,Technique_IDs etc which is why&nbsp; it shows 3 results for the same rule.&nbsp; How can i consolidate all this ?<BR /><BR />Basically this is the output i want :<BR /><BR /></P><TABLE border="1" width="84.30081113624671%"><TBODY><TR><TD width="16.666666666666668%">rule_name</TD><TD width="16.666666666666668%">tactic_ID</TD><TD width="17.827956989247312%">tactic_name</TD><TD width="15.505376344086022%">Technique_ID</TD><TD width="31.525698807996402%">Technique_name</TD></TR><TR><TD width="16.666666666666668%">Rule001</TD><TD width="16.666666666666668%">TA001<BR />TA002<BR />TA008</TD><TD width="17.827956989247312%">Persistence<BR />Persistence<BR />Defense Evasion</TD><TD width="15.505376344086022%">T1136<BR />T1098<BR />TXXXX</TD><TD width="31.525698807996402%">Create Account<BR />Account Manipulation<BR />Modify infrastructure</TD></TR><TR><TD width="16.666666666666668%">Rule002</TD><TD width="16.666666666666668%">TAxxx<BR />TAXXX</TD><TD width="17.827956989247312%">....</TD><TD width="15.505376344086022%">.....</TD><TD width="31.525698807996402%">......</TD></TR><TR><TD width="16.666666666666668%">&nbsp;</TD><TD width="16.666666666666668%">&nbsp;</TD><TD width="17.827956989247312%">&nbsp;</TD><TD width="15.505376344086022%">&nbsp;</TD><TD width="31.525698807996402%">&nbsp;</TD></TR></TBODY></TABLE><P><BR />If i change my dedup command in the query&nbsp; to:&nbsp;<STRONG>&nbsp; | dedup rule_name&nbsp; ,&nbsp; </STRONG>then it displays only the 1st row&nbsp; of every rule_name and omits the remaining values.<BR /><BR />Pls advise. I am sure this is something very fundamental.<BR /><BR /></P> Thu, 30 Dec 2021 07:43:35 GMT https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579549#M201948 neerajs_81 2021-12-30T07:43:35Z https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579551#M201949 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>did you tried to use the stats command?</P><P>something like this:</P><LI-CODE lang="markup">| inputlookup mitre_all_rule_technique_lookup | `lookup_technique_tactic_from_rule_name` | search rule_disabled=0 | stats values(tactic_ID) AS tactic_ID values(tactic_name) AS tactic_name values(Technique_ID) AS Technique_ID values(Tecnique_name) AS Tecnique_name BY rule_name</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 30 Dec 2021 07:49:07 GMT https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579551#M201949 gcusello 2021-12-30T07:49:07Z https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579552#M201950 <P>Thank you very much.&nbsp;</P> Thu, 30 Dec 2021 07:52:57 GMT https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579552#M201950 neerajs_81 2021-12-30T07:52:57Z https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579553#M201951 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>good for you, see next time.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 30 Dec 2021 07:56:10 GMT https://community.splunk.com/t5/Splunk-Search/Consolidate-data-in-table-using-Dedup-command/m-p/579553#M201951 gcusello 2021-12-30T07:56:10Z