Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

lose one event if another one exists using dedup

darrend
Path Finder
‎11-12-2013 01:51 AM

Hi Guys

I am trying to automatically create a lookup table based on results from searches, part of the search will be to feed results back in from the previously generated lookup, something like this:

search for some stuff | append [previousoutput.csv] |eval field3=if(is null(field3),"unknown",field3)

This gets me so far and gives me results like:

field1,field2,field3
hannah,green,banana
clive,red,unknown
hannah,green,unknown

This is where i am coming unstuck, i want the output lookup i generate off of the back of this to be reduplicated, 1 entry per user, but i only want to keep the amended version of field 3 if it exists, if an amended version of field 3 does not exist then i would like to populate the output with unknown, so my output csv would look like:

field1,field2,field3
hannah,green,banana
clive,red,unknown

Any ideas?

Thanks
Darren

0 Karma
Reply

landen99
Motivator
‎02-11-2015 08:48 AM 
yourstuff | eval field3=if(isnull(field3),"zzzzzzzz",field3) | sort limit=0 field3 | dedup keepempty=t field3 | eval field3=if((field3)="zzzzzzzz","unknown",field3)
0 Karma
Reply

somesoni2
Revered Legend
‎11-12-2013 12:09 PM

Try following (assuming we get only two duplicate entries, one with amended value and one with "Unknown")

search for some stuff | append [previousoutput.csv] |eval field3=if(is null(field3),"unknown",field3)
 | dedup field1, field2, field3| mvcombine field3 delim="," |eval val1=mvindex(field3,0) | eval val2=mvindex(field3,1) | eval field3=case(val1="Unknown" AND isnotnull(val2), val2, 1=1,val1)

This combines field3 for duplicate values for field1 and field2 (field3 is different,field3=amendedValue and field3=Unknown) into one mv field and then takes the first non "unknown" value for it.

0 Karma
Reply

Ayn
Legend
‎11-12-2013 02:58 AM

Well, dedup? 🙂

... | dedup field1 field2
0 Karma
Reply

darrend
Path Finder
‎11-12-2013 03:15 AM

That's what i originally tried, but with that approach there is no guarantee that you won't end up with:

field1,field2,field3
hannah,green,unknown
clive,red,unknown

I may not of worded my original question very well, but i need to guarantee that the alternate value gets kept if the alternate and the "unknown" values both exist. I cannot do a sort as the alternate value will become a user controlled free text field in my app.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top