Getting Data In

Making a multivalue field from a value obtained in a lookup

Robbie1194
Communicator

Hi guys,

I'm not sure if this is possible or not but it would be good to get it cleared up so I know for future.

So I'm wondering if I can use props and transforms (and maybe fields.conf) to make a multivalue field at search time. However, the field I want to make multi value isn't indexed, it comes from a lookup that's configured to automatically enrich my data at search time in props.conf. Is this possible? I'm having doubts because I think props/transforms/fields is applied before my automatic lookup?

Any help would be appreciated!

Cheers

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Hello @Robbie1194,

Since lookups are applied after props and transforms, you cant do that.

See this: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

Therefore your only option is to use the SPL commands mvcombine, mvexpand, makemv, nomv, etc. and the eval mv functions as needed.

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Hello @Robbie1194,

Since lookups are applied after props and transforms, you cant do that.

See this: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

Therefore your only option is to use the SPL commands mvcombine, mvexpand, makemv, nomv, etc. and the eval mv functions as needed.

0 Karma

Robbie1194
Communicator

Yeah i thought as much, was just checking. Thanks.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...