Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you return only 1 result from a lookup?

seomisp
Explorer
‎11-01-2018 03:25 PM

I'm enriching my search with a match against a lookup table. However, the lookup returns more than 1 result for each match. I want to return just 1 match, depending on a criteria, for example the highest number or such.

Here's my example:

index=index_a ip=10.0.0.1
| lookup ip_lookup_table ipaddr as ip outputnew confidence as c source as s severity as sev _time as l_time
| table ip, c, s, sev, l_time

For example, this will return a table with:

IP           c      s            sev           l_time
10.0.0.1 .   67 .   source_X .   high .        1540238898 
         .   40 .   source_Y .   very-high .   1440238898
         .   80 .   source_Z .   medium .      1530238898

I wanted to return just the line with the max l_time, so that the table would be :

IP           c      s            sev           l_time
10.0.0.1 .   67 .   source_X .   high .        1540238898

I tried doing for example | eval l_time=max(l_time), but it doesn't affect the full row.

I checked the contents of the lookup table, and it has three different rows concerning the IP 10.0.0.1. Why is the lookup aggregating the results into the columns, instead of returning a row for each match?

0 Karma
Reply

valiquet
Contributor
‎12-21-2018 12:42 PM

index=index_a ip=10.0.0.1
| lookup ip_lookup_table ipaddr as ip outputnew confidence as c source as s severity as sev _time as l_time
| mvexpand ip
|stats max(l_time) by IP c s sev

0 Karma
Reply

FrankVl
Ultra Champion
‎11-02-2018 02:17 AM

Unless someone comes up with a smart way to wrestle those multi value fields into shape, you might be best off by using a join in this case, rather than a lookup.

That way, you can do some preprocessing on the table, before joining it to your event data, to ensure it joins the desired rows.

If the criteria for which row to use is always the same, you could also consider making sure the lookup table is sorted accordingly and then configure the lookup definition so that it only returns a single match.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...