https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421021#M120960 <P>@woodcock Thank you for the input this is perfect. I do not have control over many areas of my instance, though I am mostly the only user so I cant edit the lookup. Use case for me is to estimate the size of a summary index; I am generating a small lookup over 1 week to extrapolate out to get the estimated summary index size. The lookup in some cases has app and db servers with the same name so on a select few I get this issue.</P> Thu, 01 Aug 2019 18:25:58 GMT aohls 2019-08-01T18:25:58Z https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421018#M120957 <P>In my search below I am looking to make a table. I am running into an issue where my results go into a table. </P> <PRE><CODE> | lookup clients.csv hostname as host OUTPUT server_type as server_type, clientName as clientName | search server_type = app turbine_timing_component, turbine_timing_operation, turbine_timing_total </CODE></PRE> <P>My lookup table can have the clientName matching twice, two different server types. This results in my table printing the clientName twice in each row. So what should be just clientName|... ends up being clientNameclientName|....</P> <P>I added the server type clause to try and make it only pull in that one time. Is there another function I should be looking at? It might be more an issue with how the lookup I am using was created.</P> Thu, 01 Aug 2019 15:23:51 GMT https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421018#M120957 aohls 2019-08-01T15:23:51Z https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421019#M120958 <P>You have several options. If you sort your lookup file so that the most important one is on top and then use <CODE>max_matches</CODE> to limit to just 1:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration">https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration</A></P> <P>You could also leave it the way that it is and add this:</P> <PRE><CODE>| mvexpand clientName </CODE></PRE> <P>This will break it into 2 lines, you might then desire to sort it so that the importantest one is on top and then drop the others by further adding this:</P> <PRE><CODE>| dedup clientName </CODE></PRE> <P>Be aware that you might have to first call <CODE>| makemv clientname</CODE> to make it a truly multi-value field (it may come out concatenated).</P> Thu, 01 Aug 2019 17:23:44 GMT https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421019#M120958 woodcock 2019-08-01T17:23:44Z https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421020#M120959 <P>Can you please post sanitized lines from your lookup file for a row with a single client/server pair, and ones that result in a duplicate?</P> <P>BTW, if the field names don't need to change, then your OUTPUT can simply list the fields without renaming them.</P> Thu, 01 Aug 2019 17:29:52 GMT https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421020#M120959 jpolvino 2019-08-01T17:29:52Z https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421021#M120960 <P>@woodcock Thank you for the input this is perfect. I do not have control over many areas of my instance, though I am mostly the only user so I cant edit the lookup. Use case for me is to estimate the size of a summary index; I am generating a small lookup over 1 week to extrapolate out to get the estimated summary index size. The lookup in some cases has app and db servers with the same name so on a select few I get this issue.</P> Thu, 01 Aug 2019 18:25:58 GMT https://community.splunk.com/t5/Splunk-Search/Table-field-with-duplicating-from-lookup/m-p/421021#M120960 aohls 2019-08-01T18:25:58Z