topic Re: Combine 2 lookup table output fields to one multivalue field in Splunk Search

Combine 2 lookup table output fields to one multivalue field

rravind1 — Tue, 29 Sep 2020 18:19:35 GMT

I would like to combine 2 lookup table outputs to one multivalue field at search time. Table 1 and Table 2 are below are my lookup outputs. Table 3 is an example of my expected output:

LOOKUP TABLE 1 OUTPUT:
src_port, lookup1_output
1, A
2, B
3, C

LOOKUP TABLE 2 OUTPUT:
dest_port, lookup2_output
1, D
2, E
3, F

I'd like to combine lookup1_output and lookup1_output to form one multivalue output:
TABLE 3: EXPECTED COMBINED MULTIVALUE OUTPUT:
src_port, dest_port, combined_output {lookup1_output,lookup2_output}
1, 2 , {A,E}
2, 3 , {B,F}
and so on..

I tried
eval output = mvcombine(lookup1_output,lookup2_output)
but this does not help as search time order of operations is EVAL -> LOOKUP so I can't use an eval with inputs from a lookup.

Thanks in advance

Re: Combine 2 lookup table output fields to one multivalue field

somesoni2 — Tue, 06 Mar 2018 20:23:20 GMT

ON what basis values from both lookups are combined? Is it just the cross-product of all entries?

Re: Combine 2 lookup table output fields to one multivalue field

rravind1 — Tue, 29 Sep 2020 18:19:38 GMT

Not necessarily as a cross product. I want the values of the lookups to be combined based on the combination of the src_port and dest_port inputs. For example, if i combined table1 and table 2, I would like lookup1_output and lookup2_output to be combined into a single multi-value field.

Re: Combine 2 lookup table output fields to one multivalue field

somesoni2 — Tue, 06 Mar 2018 21:22:03 GMT

So, based on your example data, you want combine lookup output for src-dest combination of 1-2, 1-3,2-1,2-3,3-1,3-2..? I think you want to combine output value for a give combination of src-dest, so just want to understand how you're coming up with src-dest combination.

Re: Combine 2 lookup table output fields to one multivalue field

rravind1 — Tue, 29 Sep 2020 18:15:15 GMT

No, It's not necessary that it needs to be a catesian product, but it could be so. to explain it better, I have a src_port field and a dest_port field in my event data. I would like to find the protocol associated with each source port and each destination port. I am using 2 automatic lookups to find the src_protocol(as lookup1_output in my example) and dest_protocol(lookup2_output). Most events in my data have both src_port as well as dest_port , but it's not necessary that both fields should have values. When there is a case that the lookup returns values for both, i would like to combine the src_protocol output field and the dest_protocol output field to give me a multivalue field called protocol. If you have any idea as to how to combine the 2 lookup outputs to a single multi-value field, I can figure out the solution to the scenarios where the cartesian rule does not hold 🙂