Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove a duplicate from a lookup or only return one of the results?

bmkaiser
Explorer
‎09-03-2015 10:12 AM

I am performing a lookup on a table that contains data that I don't manage and cannot change. The lookup is returning duplicates for some people because they're listed twice in the source table. How do I either return only one of the results from the lookup or remove the duplicate from only the affected records? My data looks something like this:

Name     Dept
----------------------
Joe       IT
          IT
----------------------
Mary      IT
----------------------
Bob      Ops
----------------------

I don't want to remove all occurrences of IT. I only want to remove the duplicates from Joe's row. Or perhaps there's a different way I can get the information so that it is only returning one result. The lookup portion is pretty standard and looks like this: 

| LOOKUP name AS first_name OUTPUT department AS Dept
Reply
1 Solution
Solved! Jump to solution
Solution

cramasta
Builder
‎09-03-2015 10:33 AM

Create a lookup definition.

manager > lookups > lookup definitations

check advanced options then change the maximum matches to 1

so instead of

| LOOKUP mylookup.csv name AS first_name OUTPUT department AS Dept
you use
| LOOKUP mylookupdefinition name AS first_name OUTPUT department AS Dept

View solution in original post

Reply
Solved! Jump to solution

bmkaiser
Explorer
‎09-04-2015 05:51 AM

I did also figure out how to remove the duplicate using mvdedup:

| EVAL Dept=MVDEDUP(Dept)
Reply
Solved! Jump to solution

JWellsBNSF
Engager
‎11-21-2019 12:05 PM

This was incredibly helpful. Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

cramasta
Builder
‎09-03-2015 10:33 AM

Create a lookup definition.

manager > lookups > lookup definitations

check advanced options then change the maximum matches to 1

so instead of

| LOOKUP mylookup.csv name AS first_name OUTPUT department AS Dept
you use
| LOOKUP mylookupdefinition name AS first_name OUTPUT department AS Dept

Reply
Solved! Jump to solution

cramasta
Builder
‎09-03-2015 10:44 AM

you can also dedup the lookup file by running the a query as such.

| inputlookup mylookup.csv | dedup name | outputlookup mylookup.csv

0 Karma
Reply
Solved! Jump to solution

bmkaiser
Explorer
‎09-03-2015 10:55 AM

Thank you for your help! I like this because I'd rather never have the data in the first place.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...