topic Re: multivalued OUTPUT field for my automatic lookup in Splunk Search

multivalued OUTPUT field for my automatic lookup

carmackd — Wed, 14 Mar 2012 15:33:03 GMT

Is it possible to configure an automatic lookup to use a multivalued OUTPUT field? I should add that the lookups matching field is multivalued.

Re: multivalued OUTPUT field for my automatic lookup

lguinn2 — Wed, 14 Mar 2012 21:50:25 GMT

If you allow multiple matches in your lookup (which is the default) then you can get multi-value outputs. But it has to be set up in the lookup table itself. Here is an example: mydata.csv contains

key,resultX,resultY

1,aaa,bbb

2,ccc,ddd

2,ccc,eee

Notice that there are two rows with key=2. So if you do a lookup where key is the input field, and where resultX and resultY are output fields, you will get the values

key=2

resultX=ccc

resultY=ddd,eee (multi-valued)

Is this what you are looking for?

Re: multivalued OUTPUT field for my automatic lookup

carmackd — Thu, 15 Mar 2012 14:02:17 GMT

Not exactly. My problem is I have a multivalued matching field (key in ex above) and I need to return all matching output, which will also make the output field multivalued. The behavior I'm seeing with the multivalued matching field is that it applies the first multivalued matching field to the lookup and skips the remaining.

Example: I have two keys (key=1 & key=2 example above) in an event that retrieves resultX using an automatic lookup. However the automatic lookup only returns the first match (aaa) when I need it to return (aaa & ccc) in a multivalued output field.

Re: multivalued OUTPUT field for my automatic lookup

rdownie — Sun, 24 Feb 2013 19:10:44 GMT

I am having the same issue. Did you get a resolution on this?
Thanks.

Re: multivalued OUTPUT field for my automatic lookup

lguinn2 — Mon, 25 Feb 2013 13:11:58 GMT

If your input key is multivalued, then you may have a problem, depending on what you want to do.

For this answer, assume that the lookup is described as in lguinn's answer from 14-Mar-2012. And, assume that the event data that we are searching has a format something like this

14-Feb-2012 09:02:17 12345 1,2 other stuff

where the fields are the timestamp, a 5-digit field named id and a multivalued-field named key. Assume that you also have created a lookup named lookup_key.

One easy way to make things work - depending on what you want for a final output -

yoursearchhere | mvexpand key | lookup lookup_key key OUTPUT resultX resultY | whatever else...

Everything else gets more complicated, and depends on exactly what data you have and what result you need.

So if this idea doesn't work for you, please

create a new question
include a few sample events (sanitized of real server names, user names etc)
description of the important fields (and which ones can be multi-valued)
an example of the lookup table (a couple lines should do here)
explanation, mock-up or something to describe the results that you are trying to get

There isn't really enough info in this thread to go farther.

Re: multivalued OUTPUT field for my automatic lookup

jpass — Fri, 06 Dec 2013 17:26:02 GMT

I understand what you are trying to do as I'm having the same issue as well. The automatic lookup should execute on each value of the multivalue field in the event and return a multivalue field. Did you happen to find a better solution then editing your events or using mvexpand?

Re: multivalued OUTPUT field for my automatic lookup

caseypike — Wed, 05 Feb 2014 12:56:42 GMT

I am having the same problem... I have a multi-vlued field with 10 events. When I do a lookup, it only matches on the first event. Even with an mvexpand on the field (to separate each value of the multi-valued field into separate events), it actually matches on each event of the lookukp value from the first value of the field. I have events now with the wrong lookup value.

Re: multivalued OUTPUT field for my automatic lookup

dvb — Wed, 26 Oct 2016 11:14:35 GMT

If you want to get multi-value outputs then make sure you select "Overwrite field values" for the automatic lookup. In other words, make sure you see OUTPUT and not OUTPUTNEW.

By default, the UI sets automatic lookup to use OUTPUTNEW, but that will only write to the output field if it does not exist already (which will result in only the first value of an mv-field to being looked up).