In my search below I am looking to make a table. I am running into an issue where my results go into a table.
| lookup clients.csv hostname as host OUTPUT server_type as server_type, clientName as clientName
| search server_type = app
turbine_timing_component, turbine_timing_operation, turbine_timing_total
My lookup table can have the clientName matching twice, two different server types. This results in my table printing the clientName twice in each row. So what should be just clientName|... ends up being clientNameclientName|....
I added the server type clause to try and make it only pull in that one time. Is there another function I should be looking at? It might be more an issue with how the lookup I am using was created.
You have several options. If you sort your lookup file so that the most important one is on top and then use max_matches
to limit to just 1:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Addfieldmatchingrulestoyourlookupconfig...
You could also leave it the way that it is and add this:
| mvexpand clientName
This will break it into 2 lines, you might then desire to sort it so that the importantest one is on top and then drop the others by further adding this:
| dedup clientName
Be aware that you might have to first call | makemv clientname
to make it a truly multi-value field (it may come out concatenated).
Can you please post sanitized lines from your lookup file for a row with a single client/server pair, and ones that result in a duplicate?
BTW, if the field names don't need to change, then your OUTPUT can simply list the fields without renaming them.
You have several options. If you sort your lookup file so that the most important one is on top and then use max_matches
to limit to just 1:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Addfieldmatchingrulestoyourlookupconfig...
You could also leave it the way that it is and add this:
| mvexpand clientName
This will break it into 2 lines, you might then desire to sort it so that the importantest one is on top and then drop the others by further adding this:
| dedup clientName
Be aware that you might have to first call | makemv clientname
to make it a truly multi-value field (it may come out concatenated).
@woodcock Thank you for the input this is perfect. I do not have control over many areas of my instance, though I am mostly the only user so I cant edit the lookup. Use case for me is to estimate the size of a summary index; I am generating a small lookup over 1 week to extrapolate out to get the estimated summary index size. The lookup in some cases has app and db servers with the same name so on a select few I get this issue.