Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Retain columns in lookup table but not creating duplicates

tromero3
Path Finder
‎08-17-2020 11:20 AM

I have a saved search which runs every month and looks at my vulnerability events and outputs the results into a lookup table. I am deduping the "Plugin ID" value so that I am only getting unique vulnerabilities in my lookup table.  I have also added 3 extra columns to the lookup table, but the search results from the saved search will not have these columns .  I'm struggling with how to retain the values of those columns while still appending new results to the table. The search below that I have tried, is retaining the extra columns but it is duplicating the results each time the search is run.  

I've tried not using the append=t with the outputlookup but that just replaces my whole lookup table and deletes the extra columns that I need in there. 

Is there any other way that I can use outputlookup and retain the extra columns but still deduping the plugin ID? Thank you!

 

 

 

| stats values(state) as State, values(severity) as Severity, values(tags) as "Tags", values(plugin.name) as "Plugin Name", values(plugin_publication_date) as "Plugin Publication Date",  count by plugin_id 
| rename plugin_id as "Plugin ID", count as "Total Hosts" | eval Severity=lower(Severity) | sort num(Severity), -num("Total Hosts")
| inputlookup Vulnerabilities append=t
| dedup "Plugin ID"
| outputlookup Vulnerabilities append=t

 

 

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 11:41 AM 
| stats values(state) as State, values(severity) as Severity, values(tags) as "Tags", values(plugin.name) as "Plugin Name", values(plugin_publication_date) as "Plugin Publication Date",  count by plugin_id 
| rename plugin_id as "Plugin ID", count as "Total Hosts" | eval Severity=lower(Severity) | sort num(Severity), -num("Total Hosts")
| inputlookup Vulnerabilities append=t
| stats values(*) by  "Plugin ID"
| outputlookup Vulnerabilities append=t

 

stats values(*) is just to give you an idea, you can change.

upvote if my answer solves your problem

————————————
If this helps, give a like below.
0 Karma
Reply

tromero3
Path Finder
‎08-17-2020 12:31 PM

Hmm I dont understand.  When I do that, all it does is add extra duplicate values in the column for Plugin ID....

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 12:44 PM

can you provide csv lookup header.

————————————
If this helps, give a like below.
0 Karma
Reply

tromero3
Path Finder
‎08-17-2020 03:31 PM

Plugin ID, State, Severity, Tags, Plugin Name, Plugin Publication Date, Total Hosts, Case Number, Date Submitted, Days Since Submitted

The last 3 are the values that are not in the search, only lookup table. 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...