Solved: Re: How do I get first match from lookup with mult...

rajashekar_s · ‎12-14-2017

I am trying to match a field A from base query with a kv store lookup to get field B from lookup. Apparently there are multiple matches for field A in the lookup which doesn't give me field B in my final table.
1. I cannot use a join for the lookup as the number of entries even if i dedup is more than 600k.
2. I cannot edit the transforms.conf for max_matches entry as I dont have admin access.

3. Tried using lookup in subsearch with no luck.

Query -
query -- | lookup LKP_NAME A AS A OUTPUT B AS B
| table field1 field2 fieldA fieldB

My result table has 7 rows of which 5 rows have single match and I get fieldB perfectly. The other two rows have 2 matches each in lookup and I don't get fieldB for them.
Looking for any help to guide me how to get the field B from lookup on first match.

starcher · ‎12-15-2017

Where you have multiple values for B this will give you the first one or the only if it returns only one.

| lookup LKP_NAME A AS A OUTPUT B AS B
| eval B=mvindex(B,0)

View solution in original post

starcher · ‎12-15-2017

Where you have multiple values for B this will give you the first one or the only if it returns only one.

| lookup LKP_NAME A AS A OUTPUT B AS B
| eval B=mvindex(B,0)

rajashekar_s · ‎12-17-2017

Thanks. Not sure how I missed this one.

How do I get first match from lookup with multiple entries

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann