Solved: Re: How to eliminate duplicate rows in a scheduled...

joydeep741 · ‎07-16-2018

I have created a search to populate a lookup periodically.

 index x sourcetype=y | outputlookup abc.csv append=true

Lookup is like

EventId, Start, End
000,1,2
111,3,5

I do not want duplicate rows for EventId. My current logic is not taking care of that.
What can I add to the search so that every time a new row gets added, Splunk should only update the existing and not add a new one if event id already exists

woodcock · ‎07-16-2018

Like this:

index=x sourcetype=y
| appendpipe [| inputlookup abc.csv ]
| dedup EventId
| outputlookup abc.csv

You might also include _time and add before the outputlookup:

| where _time <= relative_time(now(), "-30d")

View solution in original post

woodcock · ‎07-16-2018

Like this:

index=x sourcetype=y
| appendpipe [| inputlookup abc.csv ]
| dedup EventId
| outputlookup abc.csv

You might also include _time and add before the outputlookup:

| where _time <= relative_time(now(), "-30d")

somesoni2 · ‎07-16-2018

Give this a try

index x sourcetype=y | inputlookup abc.csv append=true | dedup EventId | outputlookup abc.csv

How to eliminate duplicate rows in a scheduled lookup?

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices

Are you a member of the Splunk Community?

How to eliminate duplicate rows in a scheduled lookup?

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Automatic Discovery Part 2: Setup and Best Practices