https://community.splunk.com/t5/Splunk-Search/Lookup-against-an-Array/m-p/668268#M229251 <P>I'm trying to run a lookup against a list of values in an array.&nbsp; I have a CSV which look as follows:</P><TABLE border="1" width="56.25%"><TBODY><TR><TD width="25%" height="25px">id</TD><TD width="25%" height="25px">x</TD><TD width="25%" height="25px">y</TD></TR><TR><TD width="25%" height="25px">123</TD><TD width="25%" height="25px">Data</TD><TD width="25%" height="25px">Data2</TD></TR><TR><TD width="25%">321</TD><TD width="25%">Data</TD><TD width="25%">Data2</TD></TR><TR><TD width="25%">456</TD><TD width="25%">Data3</TD><TD width="25%">Data3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>The field from the search is is an array which looks as follows:</P><P>["123", "321", 456"]<BR /><BR />I want to map the lookup value.&nbsp; Do I need to iterate over the field or can I use a lookup or is the best option?</P> Fri, 10 Nov 2023 17:57:36 GMT gbam 2023-11-10T17:57:36Z https://community.splunk.com/t5/Splunk-Search/Lookup-against-an-Array/m-p/668268#M229251 <P>I'm trying to run a lookup against a list of values in an array.&nbsp; I have a CSV which look as follows:</P><TABLE border="1" width="56.25%"><TBODY><TR><TD width="25%" height="25px">id</TD><TD width="25%" height="25px">x</TD><TD width="25%" height="25px">y</TD></TR><TR><TD width="25%" height="25px">123</TD><TD width="25%" height="25px">Data</TD><TD width="25%" height="25px">Data2</TD></TR><TR><TD width="25%">321</TD><TD width="25%">Data</TD><TD width="25%">Data2</TD></TR><TR><TD width="25%">456</TD><TD width="25%">Data3</TD><TD width="25%">Data3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>The field from the search is is an array which looks as follows:</P><P>["123", "321", 456"]<BR /><BR />I want to map the lookup value.&nbsp; Do I need to iterate over the field or can I use a lookup or is the best option?</P> Fri, 10 Nov 2023 17:57:36 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-against-an-Array/m-p/668268#M229251 gbam 2023-11-10T17:57:36Z https://community.splunk.com/t5/Splunk-Search/Lookup-against-an-Array/m-p/668280#M229255 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/76653">@gbam</a>,</P> <P>Splunk provides an eval function, json_array_to_mv, to convert JSON-like array values to multivalued field values. After conversion, you can use the lookup command just as you would for any other field:</P> <LI-CODE lang="markup">| makeresults | eval id="[\"123\", \"321\", \"456\"]" | eval id=json_array_to_mv(id, false()) | lookup gbam_lookup.csv id</LI-CODE> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="25%"><STRONG>_time</STRONG></TD> <TD width="25%"><STRONG>id</STRONG></TD> <TD width="25%"><STRONG>x</STRONG></TD> <TD width="25%"><STRONG>y</STRONG></TD> </TR> <TR> <TD width="25%"><SPAN>2023-11-10 16:14:53</SPAN></TD> <TD width="25%">123<BR />321<BR />456</TD> <TD width="25%">Data<BR />Data<BR />Data3</TD> <TD width="25%">Data2<BR />Data2<BR />Data3</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Index 0 of multivalued field id corresponds to index 0 of multivalued fields x and y, index 1 corresponds to index 1, etc.</P> Sat, 11 Nov 2023 13:04:17 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-against-an-Array/m-p/668280#M229255 tscroggins 2023-11-11T13:04:17Z