https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176567#M50722 <P>So as I understand it a lookup table can only hold four types of data (number boolean, time and string). So when you send a multivalue field into a lookup it gets created as a string, which is not usable by mvexpand or the other mv commands. However, you can split the data with a delimiter using mvjoin: </P> <PRE><CODE> ... | eval &lt;new field&gt;=mvjoin(&lt;original field&gt;, "&lt;delimiter&gt;") </CODE></PRE> <P>This then gives you a sting with a delimiter between each entry (e.g. TCP,TCP,TCP). Once you have that you can then convert this back into a multivalue field when you search the lookup table using:</P> <PRE><CODE> ... | makemv delim="&lt;delimiter&gt;" &lt;field&gt; </CODE></PRE> Thu, 27 Aug 2015 16:31:37 GMT peter_holmes_an 2015-08-27T16:31:37Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176563#M50718 <P>I had an extremely expensive query that would return results in this format:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/565iEE3F80675773160E/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I needed to speed up the query because it was taking 3 minutes to load on the dashboard, so I converted it into a lookup table via outputlookup. Now, when I run inputlookup against the newly created lookup, it does not have the values seperated into new lines.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/566i8E37CE3A9314CD78/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I have tried running mvexpand against the columns but nothing happens. When I export the results, the csv has all the fields on their own lines as in the first screen shot. </P> <P>How can I have the lookup table retain the formatting of the source table?</P> Mon, 17 Aug 2015 21:27:29 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176563#M50718 david_rose 2015-08-17T21:27:29Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176564#M50719 <P>You need to link the 3 values together so that their relationship across columns is maintained; otherwise each column's values will be treated totally independently as unrelated multivalued fields.</P> <P>So instead of something like this (which you are currently using):</P> <PRE><CODE>VIP,Risk,Port,Protocol 1.2.3.4,High,443,TCP 1.2.3.4,Medium,80,TCP </CODE></PRE> <P>You do something like this:</P> <PRE><CODE>VIP,Risk-Port-Protocol 1.2.3.4,High-443-TCP 1.2.3.4,Medium-80-TCP </CODE></PRE> <P>If necessary, you can split the fields out to separate them after the lookup, but I don't see the point</P> Tue, 18 Aug 2015 06:59:08 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176564#M50719 woodcock 2015-08-18T06:59:08Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176565#M50720 <P>Why were the multi events removed when i created the lookup though? The data was structured fine beforehand.</P> <P>I tried as you suggested by combing those fields in the original table with:</P> <P>eval "Risk Details"='Risk'."-".'Port'."-".'Protocol'</P> <P>But it ignores the multivalue fields and only concatenates the single value ones.</P> Tue, 18 Aug 2015 14:07:56 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176565#M50720 david_rose 2015-08-18T14:07:56Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176566#M50721 <P>Because when you call <CODE>outputcsv</CODE> each line must have the same number of fields therefore it does not create any multivalued fields and does an implicit <CODE>mvexpand</CODE> before writing them out (it is, after all, creating a CSV). So you need to create a triple-combo field and do the <CODE>outputcsv</CODE> again and even then, you are going to have to use <CODE>makemv</CODE> (and other commands) when you pull it back out to recreate what you had originally.</P> Thu, 20 Aug 2015 23:06:07 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176566#M50721 woodcock 2015-08-20T23:06:07Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176567#M50722 <P>So as I understand it a lookup table can only hold four types of data (number boolean, time and string). So when you send a multivalue field into a lookup it gets created as a string, which is not usable by mvexpand or the other mv commands. However, you can split the data with a delimiter using mvjoin: </P> <PRE><CODE> ... | eval &lt;new field&gt;=mvjoin(&lt;original field&gt;, "&lt;delimiter&gt;") </CODE></PRE> <P>This then gives you a sting with a delimiter between each entry (e.g. TCP,TCP,TCP). Once you have that you can then convert this back into a multivalue field when you search the lookup table using:</P> <PRE><CODE> ... | makemv delim="&lt;delimiter&gt;" &lt;field&gt; </CODE></PRE> Thu, 27 Aug 2015 16:31:37 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176567#M50722 peter_holmes_an 2015-08-27T16:31:37Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176568#M50723 <P>You are not hearing me. You need to maintain the relationship between these 3 fields: <CODE>Risk</CODE>, <CODE>Port</CODE>, &amp; <CODE>Protocol</CODE>. You created these with the <CODE>list</CODE> function (e.g. <CODE>list(Risk) AS Risk</CODE> and this maintains a "rowish" order so you can see that the first triplet is <CODE>High</CODE> / <CODE>443</CODE> / <CODE>TCP</CODE>. If you do not export these together, you will <EM>lose</EM> this relationship. You must do it the way I have already described (by linking them together as a single field). If you are using <CODE>outputscv</CODE> then do it like this:</P> <PRE><CODE>... | eval Risk_Port_Protocol = Risk . "-" . Port . "-" Protocol | stats values(Risk_Port_Protocol) by vIP Host | fields vIP Risk_Port_Protocol | outputcsv SomeFile.csv </CODE></PRE> <P>Then, when you read it back in it will look correct. This is the <EM>only</EM> way to do it (right). If you persist in a non-joined method, then you will be wasting your time because it will never be correct.</P> Thu, 27 Aug 2015 23:32:03 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176568#M50723 woodcock 2015-08-27T23:32:03Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176569#M50724 <P>try using <STRONG><EM><CODE>output_format=splunk_mv_csv</CODE></EM></STRONG> option with outputlookup</P> <PRE><CODE>|outputlookup output_format=splunk_mv_csv &lt;lookupname&gt; </CODE></PRE> Mon, 21 Oct 2019 06:16:04 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/176569#M50724 nikhiltyagi 2019-10-21T06:16:04Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/553416#M157130 <P>This is the proper solution!&nbsp;</P> Thu, 27 May 2021 21:53:53 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Removes-Multivalue-Fields/m-p/553416#M157130 cyamal1b4 2021-05-27T21:53:53Z