Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove a duplicate from a lookup or only return one of the results?

bmkaiser
Explorer
‎09-03-2015 10:12 AM

I am performing a lookup on a table that contains data that I don't manage and cannot change. The lookup is returning duplicates for some people because they're listed twice in the source table. How do I either return only one of the results from the lookup or remove the duplicate from only the affected records? My data looks something like this:

Name     Dept
----------------------
Joe       IT
          IT
----------------------
Mary      IT
----------------------
Bob      Ops
----------------------

I don't want to remove all occurrences of IT. I only want to remove the duplicates from Joe's row. Or perhaps there's a different way I can get the information so that it is only returning one result. The lookup portion is pretty standard and looks like this: 

| LOOKUP name AS first_name OUTPUT department AS Dept
Reply
1 Solution
Solved! Jump to solution
Solution

cramasta
Builder
‎09-03-2015 10:33 AM

Create a lookup definition.

manager > lookups > lookup definitations

check advanced options then change the maximum matches to 1

so instead of

| LOOKUP mylookup.csv name AS first_name OUTPUT department AS Dept
you use
| LOOKUP mylookupdefinition name AS first_name OUTPUT department AS Dept

View solution in original post

Reply
Solved! Jump to solution

bmkaiser
Explorer
‎09-04-2015 05:51 AM

I did also figure out how to remove the duplicate using mvdedup:

| EVAL Dept=MVDEDUP(Dept)
Reply
Solved! Jump to solution

JWellsBNSF
Engager
‎11-21-2019 12:05 PM

This was incredibly helpful. Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

cramasta
Builder
‎09-03-2015 10:33 AM

Create a lookup definition.

manager > lookups > lookup definitations

check advanced options then change the maximum matches to 1

so instead of

| LOOKUP mylookup.csv name AS first_name OUTPUT department AS Dept
you use
| LOOKUP mylookupdefinition name AS first_name OUTPUT department AS Dept

Reply
Solved! Jump to solution

cramasta
Builder
‎09-03-2015 10:44 AM

you can also dedup the lookup file by running the a query as such.

| inputlookup mylookup.csv | dedup name | outputlookup mylookup.csv

0 Karma
Reply
Solved! Jump to solution

bmkaiser
Explorer
‎09-03-2015 10:55 AM

Thank you for your help! I like this because I'd rather never have the data in the first place.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...