- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Table field with duplicating from lookup.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my search below I am looking to make a table. I am running into an issue where my results go into a table.
| lookup clients.csv hostname as host OUTPUT server_type as server_type, clientName as clientName
| search server_type = app
turbine_timing_component, turbine_timing_operation, turbine_timing_total
My lookup table can have the clientName matching twice, two different server types. This results in my table printing the clientName twice in each row. So what should be just clientName|... ends up being clientNameclientName|....
I added the server type clause to try and make it only pull in that one time. Is there another function I should be looking at? It might be more an issue with how the lookup I am using was created.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have several options. If you sort your lookup file so that the most important one is on top and then use max_matches to limit to just 1:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Addfieldmatchingrulestoyourlookupconfig...
You could also leave it the way that it is and add this:
| mvexpand clientName
This will break it into 2 lines, you might then desire to sort it so that the importantest one is on top and then drop the others by further adding this:
| dedup clientName
Be aware that you might have to first call | makemv clientname to make it a truly multi-value field (it may come out concatenated).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please post sanitized lines from your lookup file for a row with a single client/server pair, and ones that result in a duplicate?
BTW, if the field names don't need to change, then your OUTPUT can simply list the fields without renaming them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have several options. If you sort your lookup file so that the most important one is on top and then use max_matches to limit to just 1:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/Addfieldmatchingrulestoyourlookupconfig...
You could also leave it the way that it is and add this:
| mvexpand clientName
This will break it into 2 lines, you might then desire to sort it so that the importantest one is on top and then drop the others by further adding this:
| dedup clientName
Be aware that you might have to first call | makemv clientname to make it a truly multi-value field (it may come out concatenated).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock Thank you for the input this is perfect. I do not have control over many areas of my instance, though I am mostly the only user so I cant edit the lookup. Use case for me is to estimate the size of a summary index; I am generating a small lookup over 1 week to extrapolate out to get the estimated summary index size. The lookup in some cases has app and db servers with the same name so on a select few I get this issue.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
