https://community.splunk.com/t5/Splunk-Enterprise-Security/Matching-value-from-two-multi-value-field/m-p/463119#M6750 <PRE><CODE>.... | stats values(recipient) as recipient count by _time sender | mvexpand recipient | eval recipient=lower(recipient) | lookup users email AS recipient OUTPUT id | mvexpand id | lookup users id OUTPUT type first last </CODE></PRE> <P>If you provide sample jpg, more clearly.</P> Thu, 02 Apr 2020 06:53:09 GMT to4kawa 2020-04-02T06:53:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Matching-value-from-two-multi-value-field/m-p/463118#M6749 <P>I am working with MS-Exchange data. I am taking recipient email value and matching with user lookup for other details. Same email have multiple matching values in lookup table. I want only matching records in same row, instead of repeating it.</P> <P>Ex.: I have an email <A href="mailto:xyz@abc.com">xyz@abc.com</A> in log. I have 3 records matching in user lookup like below.</P> <PRE><CODE> email first last id type xyz@abc.com Ram Singh 1001 T xyz@abc.com Ram Singh 1042 C xyz@abc.com Ram Singh 1063 T </CODE></PRE> <P>I am using below line to match recipient value and get other details from lookup.</P> <PRE><CODE>| stats values(recipient) as recipient count by _time sender | mvexpand recipient | eval recipient=lower(recipient) | lookup users email AS recipient OUTPUT id type first last </CODE></PRE> <P>I am getting output like below.</P> <PRE><CODE>sender recipient id type first last abc@xyz.com xyz@abc.com 1001 T Ram Singh 1042 C 1063 T </CODE></PRE> <P>But I am expecting result like this, so that i can perform some conditional action.</P> <PRE><CODE>sender recipient id type first last abc@xyz.com xyz@abc.com 1001 T Ram Singh abc@xyz.com xyz@abc.com 1042 C Ram Singh abc@xyz.com xyz@abc.com 1063 T Ram Singh </CODE></PRE> <P>If I am using mvexpand command, it's providing wrong output rows.</P> Thu, 02 Apr 2020 06:21:03 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Matching-value-from-two-multi-value-field/m-p/463118#M6749 twh1 2020-04-02T06:21:03Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Matching-value-from-two-multi-value-field/m-p/463119#M6750 <PRE><CODE>.... | stats values(recipient) as recipient count by _time sender | mvexpand recipient | eval recipient=lower(recipient) | lookup users email AS recipient OUTPUT id | mvexpand id | lookup users id OUTPUT type first last </CODE></PRE> <P>If you provide sample jpg, more clearly.</P> Thu, 02 Apr 2020 06:53:09 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Matching-value-from-two-multi-value-field/m-p/463119#M6750 to4kawa 2020-04-02T06:53:09Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Matching-value-from-two-multi-value-field/m-p/463120#M6751 <P>Hi @to4kawa ,<BR /> I have multi value field not NULL value field. If i have only 1 multi-value field, I can use mvexpand and get the output. But I have multiple multi -value field, for which I need row with respective value. </P> <P>I have made little change in output now. Hope this will bring more clarity to my question.</P> Thu, 02 Apr 2020 08:04:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Matching-value-from-two-multi-value-field/m-p/463120#M6751 twh1 2020-04-02T08:04:59Z