Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to output multivalue fields from lookups?

jdaves
Path Finder
‎10-28-2014 08:08 AM

Hi Splunk Answers,

I'm trying to do a lookup with a list of CVEs and the URL to them. The fields in the CSV file are QID, CVE-ID, and CVE-URL, which I'm outputting as cve_id and cve_url. I have events with a multi-valued field named 'qid'. I'd like to do a lookup on this field and output 2 new multi-valued fields, cve_id and cve_url. However, the lookup is just taking the first value for the 'qid' field and outputting the result from the CSV into cve_id and cve_url.

Here is my lookup command:

lookup qiddb_cve QID AS qid OUTPUTNEW "CVE-ID" AS cve_id "CVE-URL" AS cve_url

I found a similar issue here but it doesn't seem that there's a working solution there.

Has anyone found a way to generate a multi-valued output field from a lookup? I have to think someone's had this problem before, but I'm not finding a way to do it. Thanks!!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎10-30-2014 03:19 AM

Hi jdaves,

Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:

host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2

This is used as auto lookup and provides for each matching host an multivalue field called must_run. I use this field to compare running processes against the must_run processes (using the Splunk ps.sh) like this:

base search here 
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time 
| makemv must_run 
| mvexpand must_run 
| where must_run!=myProc_running 
| do more Splunk-Fu here ....

This works perfectly.

Regarding your QID: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand before the lookup.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎10-30-2014 03:19 AM

Hi jdaves,

Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:

host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2

This is used as auto lookup and provides for each matching host an multivalue field called must_run. I use this field to compare running processes against the must_run processes (using the Splunk ps.sh) like this:

base search here 
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time 
| makemv must_run 
| mvexpand must_run 
| where must_run!=myProc_running 
| do more Splunk-Fu here ....

This works perfectly.

Regarding your QID: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand before the lookup.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

jdaves
Path Finder
‎11-03-2014 07:57 AM

Awesome, thank you!! I'll try tweaking it and see if I can make it work.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-28-2014 01:10 PM

Hi,

On Thursday I can check/verify how I did that. I use a multi value lookup for a list of hosts and get back a list of processes that should run on this host.
I'll get back .....

Reply
Solved! Jump to solution

jdaves
Path Finder
‎10-28-2014 01:11 PM

That would be awesome! Please do when you get the chance.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...