I have a lookup that end users can update. However they might make a mistake and put in the same data twice.
The issues is, if this is done SPLUNK wont return ether results. So the data is lost as i am using this with a transform.
Initial Search .....| lookup lookup Context_Command AS "Context+Command" OUTPUT Tags CC_Description Threshold
So Example 1 - Working
This is the look up table - I get 10 Row returned to me [As i should] It finds a match for NULL#Login and this is good
Context_Command CC_Description Tags Alert Threshold
NULL#Login TEST2 TEST2 y 5
Example 2 - Not Working
This is the look up table - I get 8 Row returned to me and NULL#Login is excluded from this
Context_Command CC_Description Tags Alert Threshold
NULL#Login TEST2 TEST2 y 5
NULL#Login TEST2 TEST2 y 5
I know this is a human problem, however this file can have hundreds is not thousands of line and this will become difficult to manage.
This is the transform i am using
[Context_Command_lookup]
filename = TEST_MXTIMING.csv
match_type = WILDCARD(Context_Command)
One trivial solution is to periodically run...
| inputlookup mylookupname | dedup mykey |outputlookup mylookupname
However, lookup should return the first answer found if there are duplicates.
One trivial solution is to periodically run...
| inputlookup mylookupname | dedup mykey |outputlookup mylookupname
However, lookup should return the first answer found if there are duplicates.
Hi
Thanks for this.
I think it must be a bug if this is that case.
I will report it so
Thanks
Robert Lynch