I am trying to match a field A from base query with a kv store lookup to get field B from lookup. Apparently there are multiple matches for field A in the lookup which doesn't give me field B in my final table.
1. I cannot use a join for the lookup as the number of entries even if i dedup is more than 600k.
2. I cannot edit the transforms.conf for max_matches entry as I dont have admin access.
3. Tried using lookup in subsearch with no luck.
Query -
query -- | lookup LKP_NAME A AS A OUTPUT B AS B
| table field1 field2 fieldA fieldB
My result table has 7 rows of which 5 rows have single match and I get fieldB perfectly. The other two rows have 2 matches each in lookup and I don't get fieldB for them.
Looking for any help to guide me how to get the field B from lookup on first match.
Where you have multiple values for B this will give you the first one or the only if it returns only one.
| lookup LKP_NAME A AS A OUTPUT B AS B
| eval B=mvindex(B,0)
Where you have multiple values for B this will give you the first one or the only if it returns only one.
| lookup LKP_NAME A AS A OUTPUT B AS B
| eval B=mvindex(B,0)
Thanks. Not sure how I missed this one.