Splunk Search

Table field with duplicating from lookup.

aohls
Contributor

In my search below I am looking to make a table. I am running into an issue where my results go into a table.

   | lookup clients.csv hostname as host OUTPUT server_type as server_type, clientName as clientName
    | search server_type = app
     turbine_timing_component, turbine_timing_operation, turbine_timing_total

My lookup table can have the clientName matching twice, two different server types. This results in my table printing the clientName twice in each row. So what should be just clientName|... ends up being clientNameclientName|....

I added the server type clause to try and make it only pull in that one time. Is there another function I should be looking at? It might be more an issue with how the lookup I am using was created.

0 Karma
1 Solution

woodcock
Esteemed Legend

You have several options. If you sort your lookup file so that the most important one is on top and then use max_matches to limit to just 1:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Addfieldmatchingrulestoyourlookupconfig...

You could also leave it the way that it is and add this:

| mvexpand clientName

This will break it into 2 lines, you might then desire to sort it so that the importantest one is on top and then drop the others by further adding this:

| dedup clientName

Be aware that you might have to first call | makemv clientname to make it a truly multi-value field (it may come out concatenated).

View solution in original post

0 Karma

jpolvino
Builder

Can you please post sanitized lines from your lookup file for a row with a single client/server pair, and ones that result in a duplicate?

BTW, if the field names don't need to change, then your OUTPUT can simply list the fields without renaming them.

0 Karma

woodcock
Esteemed Legend

You have several options. If you sort your lookup file so that the most important one is on top and then use max_matches to limit to just 1:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Addfieldmatchingrulestoyourlookupconfig...

You could also leave it the way that it is and add this:

| mvexpand clientName

This will break it into 2 lines, you might then desire to sort it so that the importantest one is on top and then drop the others by further adding this:

| dedup clientName

Be aware that you might have to first call | makemv clientname to make it a truly multi-value field (it may come out concatenated).

0 Karma

aohls
Contributor

@woodcock Thank you for the input this is perfect. I do not have control over many areas of my instance, though I am mostly the only user so I cant edit the lookup. Use case for me is to estimate the size of a summary index; I am generating a small lookup over 1 week to extrapolate out to get the estimated summary index size. The lookup in some cases has app and db servers with the same name so on a select few I get this issue.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...