Solved: How to dedup in a search with a Lookup table?

earriaga · ‎11-09-2022

I have a working search that uses a look up, that is like this:

index=MyIndex

  [| inputlookup MyCSVFile

    | stats values(email) AS EmailAddress

    | format]

|chart count(Code) as NumCodes  over EmailAddress |sort -NumCodes

This works, but there are duplicate codes, so i want the search to count only unique codes per user.

I am not sure how to say Count Unique.

Thank you for your help!!

richgalloway · ‎11-09-2022

Splunk uses "distinct_count" for Count Unique.

index=MyIndex
  [| inputlookup MyCSVFile
   | stats values(email) AS EmailAddress
   | format]
| chart distinct_count(Code) as NumCodes  over EmailAddress 
| sort - NumCodes

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-09-2022

Splunk uses "distinct_count" for Count Unique.

index=MyIndex
  [| inputlookup MyCSVFile
   | stats values(email) AS EmailAddress
   | format]
| chart distinct_count(Code) as NumCodes  over EmailAddress 
| sort - NumCodes

---
If this reply helps you, Karma would be appreciated.

How to dedup in a search with a Lookup table?

count

lookup

stats

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?