Solved: How to dedup in a search with a Lookup table?

earriaga · ‎11-09-2022

I have a working search that uses a look up, that is like this:

index=MyIndex

  [| inputlookup MyCSVFile

    | stats values(email) AS EmailAddress

    | format]

|chart count(Code) as NumCodes  over EmailAddress |sort -NumCodes

This works, but there are duplicate codes, so i want the search to count only unique codes per user.

I am not sure how to say Count Unique.

Thank you for your help!!

richgalloway · ‎11-09-2022

Splunk uses "distinct_count" for Count Unique.

index=MyIndex
  [| inputlookup MyCSVFile
   | stats values(email) AS EmailAddress
   | format]
| chart distinct_count(Code) as NumCodes  over EmailAddress 
| sort - NumCodes

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-09-2022

Splunk uses "distinct_count" for Count Unique.

index=MyIndex
  [| inputlookup MyCSVFile
   | stats values(email) AS EmailAddress
   | format]
| chart distinct_count(Code) as NumCodes  over EmailAddress 
| sort - NumCodes

---
If this reply helps you, Karma would be appreciated.

How to dedup in a search with a Lookup table?

count

lookup

stats

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform