Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Retain columns in lookup table but not creating duplicates

tromero3
Path Finder
‎08-17-2020 11:20 AM

I have a saved search which runs every month and looks at my vulnerability events and outputs the results into a lookup table. I am deduping the "Plugin ID" value so that I am only getting unique vulnerabilities in my lookup table.  I have also added 3 extra columns to the lookup table, but the search results from the saved search will not have these columns .  I'm struggling with how to retain the values of those columns while still appending new results to the table. The search below that I have tried, is retaining the extra columns but it is duplicating the results each time the search is run.  

I've tried not using the append=t with the outputlookup but that just replaces my whole lookup table and deletes the extra columns that I need in there. 

Is there any other way that I can use outputlookup and retain the extra columns but still deduping the plugin ID? Thank you!

 

 

 

| stats values(state) as State, values(severity) as Severity, values(tags) as "Tags", values(plugin.name) as "Plugin Name", values(plugin_publication_date) as "Plugin Publication Date",  count by plugin_id 
| rename plugin_id as "Plugin ID", count as "Total Hosts" | eval Severity=lower(Severity) | sort num(Severity), -num("Total Hosts")
| inputlookup Vulnerabilities append=t
| dedup "Plugin ID"
| outputlookup Vulnerabilities append=t

 

 

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 11:41 AM 
| stats values(state) as State, values(severity) as Severity, values(tags) as "Tags", values(plugin.name) as "Plugin Name", values(plugin_publication_date) as "Plugin Publication Date",  count by plugin_id 
| rename plugin_id as "Plugin ID", count as "Total Hosts" | eval Severity=lower(Severity) | sort num(Severity), -num("Total Hosts")
| inputlookup Vulnerabilities append=t
| stats values(*) by  "Plugin ID"
| outputlookup Vulnerabilities append=t

 

stats values(*) is just to give you an idea, you can change.

upvote if my answer solves your problem

————————————
If this helps, give a like below.
0 Karma
Reply

tromero3
Path Finder
‎08-17-2020 12:31 PM

Hmm I dont understand.  When I do that, all it does is add extra duplicate values in the column for Plugin ID....

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 12:44 PM

can you provide csv lookup header.

————————————
If this helps, give a like below.
0 Karma
Reply

tromero3
Path Finder
‎08-17-2020 03:31 PM

Plugin ID, State, Severity, Tags, Plugin Name, Plugin Publication Date, Total Hosts, Case Number, Date Submitted, Days Since Submitted

The last 3 are the values that are not in the search, only lookup table. 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...