Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookups excluding answers if multiple same lines a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup that end users can update. However they might make a mistake and put in the same data twice.
The issues is, if this is done SPLUNK wont return ether results. So the data is lost as i am using this with a transform.
Initial Search .....| lookup lookup Context_Command AS "Context+Command" OUTPUT Tags CC_Description Threshold
So Example 1 - Working
This is the look up table - I get 10 Row returned to me [As i should] It finds a match for NULL#Login and this is good
Context_Command CC_Description Tags Alert Threshold
NULL#Login TEST2 TEST2 y 5
Example 2 - Not Working
This is the look up table - I get 8 Row returned to me and NULL#Login is excluded from this
Context_Command CC_Description Tags Alert Threshold
NULL#Login TEST2 TEST2 y 5
NULL#Login TEST2 TEST2 y 5
I know this is a human problem, however this file can have hundreds is not thousands of line and this will become difficult to manage.
This is the transform i am using
[Context_Command_lookup]
filename = TEST_MXTIMING.csv
match_type = WILDCARD(Context_Command)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One trivial solution is to periodically run...
| inputlookup mylookupname | dedup mykey |outputlookup mylookupname
However, lookup should return the first answer found if there are duplicates.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One trivial solution is to periodically run...
| inputlookup mylookupname | dedup mykey |outputlookup mylookupname
However, lookup should return the first answer found if there are duplicates.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for this.
I think it must be a bug if this is that case.
I will report it so
Thanks
Robert Lynch
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
