Problem with Lookup table

theouhuios · ‎11-01-2012

Hello

While using lookup table there are multiple entries coming up even when in the lookup table they have distinct values stored.

Here is a gist of data in the lookup file

threshold CI
"1.00",AN100489
"1.00",WASBFBLV
"1.00",AN100369
"1.00",AN100357
"1.00",AN100399
"1.00",AN100281
"1.00",AN100090
"1.00",AN100570
"1.00",WASBHJ8B

Now when I use it in search

sourcetype="incident"| rename record.affectedCI as CI | lookup threshold-Lookup CI AS CI OUTPUT threshold AS threshold | table CI threshold|

the data comes as
1 WTSDK3LD

2 WTSDHFTB 1.00
3 WTSDHFTB 1.00
4 WTSDHFTB 1.00
5 WTSDHFS4 1.00
6 WTSDHFS4 1.00
7 WTSDC4NQ 1.00
8 WTSDC4NQ 1.00
9 WTSDC4NQ 1.00
10 WTSDC4NQ 1.00
11 WTSDC4NQ 1.00
12 WTSDC4NQ 1.00
13 WTSDB9JG 1.00

Any idea on how can I make it distinct so that it lists it only once? I need it to be uniq as I will be comparing the threshold to other fields to generate emails.

Please help.

Regards

theou

alacercogitatus · ‎11-01-2012

I believe you want the dedup command.

sourcetype="incident"| rename record.affectedCI as CI | lookup threshold-Lookup CI AS CI OUTPUT threshold AS threshold | dedup CI| table CI threshold

http://www.splunk.com/base/Documentation/5.0/SearchReference/Dedup

theouhuios · ‎11-02-2012

Issue was in the lookup tables itself. Rectified it. Thanks for the help/

alacercogitatus · ‎11-01-2012

How about: sourcetype="incident" | lookup threshold-Lookup record.affectedCI AS CI OUTPUT threshold|dedup CI |stats values(threshold) as threshold by CI ? If not, could you provide a table of the information you'd like to see? (please use backticks to preserve formatting)

theouhuios · ‎11-01-2012

I tried with dedup too. But it's still the same.

WASDQYMK

1.00
1.00
1.00
1.00

Would this be an issue with the lookup table?

Problem with Lookup table

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!