Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you allow automatically match against lookup file multi-value field

splunker1981
Path Finder
‎11-09-2020 01:17 PM

Hello experts - 

I'm scratching my head trying to figure out if there's something at the low level configuration side that needs to be done to allow lookup matches against a multi valued field.  I have two environments, with relatively same data, where I'm able to run a lookup and get back data on one but not the other using a similar approach. See sample search below 

 

| makeresults 
| eval uid= "1017" 
| lookup cust_uid.csv po_id as uid OUTPUT region, customer

 

The contents of the lookup files is relatively the same on both but when I run the same command I get a match on one splunk instance but not the other. Below is a snippet of the lookup contents - 3 sample entries

 

customer,region,po_id
XXX,US - West,"0
19263
129888
locale-39488"
YYY,US - East,"1299
3453"
UUU,BRZ,1017

 

Again, I'm not quite sure why I can't do a simple lookup against the multi valued field po_id and get back the 2 fields I call out in the output, thoughts?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-09-2020 11:56 PM

Try mvexpand on po_id so you can lookup against each value separately

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...