Solved: How to add new entry to lookups and older values a...

sagar_shubham23 · ‎04-19-2023

Why i am getting Duplicate entries while using outputlookups.

Query:

|inputlookup append=t test1_checks.csv| eval Alert_type="test2", Correlated_alert="test2", Correlation_type=0| outputlookup append=true test1_checks.csv

Result:

Alert Type Correlated_alert

test2 test2

I need only one entry for all kind of entries in Alert_type and Correlated_alert.

Kindly help

somesoni2 · ‎04-19-2023

Give this a try

|inputlookup append=t test1_checks.csv
| append [| makeresults | eval Alert_type="test2", Correlated_alert="test2", Correlation_type=0 | table Alert_type Correlated_alert Correlation_type ]
| stats last(Correlation_type) as Correlation_type by Alert_type Correlated_alert
| outputlookup append=true test1_checks.csv

View solution in original post

richgalloway · ‎04-19-2023

The append=true option to outputlookup tells Splunk to keep the existing lookup file content. To replace the content with the current result set, use append=false (the default).

| inputlookup test1_checks.csv
| eval Alert_type="test2", Correlated_alert="test2", Correlation_type=0
| outputlookup test1_checks.csv

As @somesoni2 mentioned, to eliminate duplicate entries, you need to use the stats or dedup command.

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎04-19-2023

Give this a try

|inputlookup append=t test1_checks.csv
| append [| makeresults | eval Alert_type="test2", Correlated_alert="test2", Correlation_type=0 | table Alert_type Correlated_alert Correlation_type ]
| stats last(Correlation_type) as Correlation_type by Alert_type Correlated_alert
| outputlookup append=true test1_checks.csv

How to add new entry to lookups and older values are overridden by new values?

development

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI