Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use lookup and multivalue field together

vikashumble
Explorer
‎02-28-2025 02:09 AM

Hello All,

 

I have a multivalue field which contains domain names (for this case, say it is in field named emailDomains and it contains 5 values). I have a lookup named whitelistdomains which contains 2000+ domains names. Now, what I want is to look for these multivalue domains names field and check if that domain name is present in my lookup. Is that possible. Example and expected output is below. I did tried doing this using mvexpand but sometimes I end up with memory issues on splunk cloud and hence want to avoid this. I tried using map, mvmap to see somehow I can pass one value at a time in inputlookup command and get the output. But so far, I am not able to figure it out properly. I did achived this via a very dirty method of using appendpipe to get list of values in lookup and then eventstats to create that variable against each event for comparison. But this made search very clunky and I am sure there are better ways of doing this? So, if you can please sugesst a better way, that would be amazing.

 

emailDomains field:

test.com

sample.com

example.com

 

whitelistdomains Lookup data:

whitelist.com

sample.com

something.com

example.com

......and so on..

 

Expected output:

whitelistedDomains (this is a new field after looking up all multifield values against lookup)

sample.com

example.com

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-01-2025 05:15 PM

This is a little confusing.  There is nothing to prevent multivalue fields from being used in lookup.  There is no need to mvexpand.  All you need to do is

 

| lookup whitelistdomains url as emailDomains output url as match

 

 The above assumes that whitelistdomains contain a field named url. for this match job.

To demonstrate, I'm using a lookup table from a previous question called all_urls.  It's content is as follows:

url
www.url1.com
*.url2.com
site.url3.com

This is an emulation - I just changed lookup name from the above

 

| makeresults
| fields - _time
| eval emailDomains = mvappend("www.url1.com", "site.url3.com", "www.url3.com")
``` data emulation above ```
| lookup all_urls url as emailDomains output url as match

 

This gives

emailDomains
match
site.url3.com
site.url3.com

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-01-2025 05:15 PM

This is a little confusing.  There is nothing to prevent multivalue fields from being used in lookup.  There is no need to mvexpand.  All you need to do is

 

| lookup whitelistdomains url as emailDomains output url as match

 

 The above assumes that whitelistdomains contain a field named url. for this match job.

To demonstrate, I'm using a lookup table from a previous question called all_urls.  It's content is as follows:

url
www.url1.com
*.url2.com
site.url3.com

This is an emulation - I just changed lookup name from the above

 

| makeresults
| fields - _time
| eval emailDomains = mvappend("www.url1.com", "site.url3.com", "www.url3.com")
``` data emulation above ```
| lookup all_urls url as emailDomains output url as match

 

This gives

emailDomains
match
site.url3.com
site.url3.com
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎02-28-2025 02:55 AM

Hi @vikashumble 

Would something like this work for you?

 

| makeresults 
| eval _raw="{\"id\": \"12345\", \"domain\": [\"test.com\",\"sample.com\",\"example.com\"]}"
| eval domain=json_array_to_mv(json_extract(_raw,"domain"))
| eval whitelistedDomains=""
| foreach domain mode=multivalue
    [| eval whitelistedDomains=mvappend(IF(tostring(json_extract(lookup("domainallowlist.csv",json_object("domain",<<ITEM>>),json_array("isAllowed")),"isAllowed"))=="1",<<ITEM>>,null()),whitelistedDomains) ]

 

livehybrid_0-1740740104113.png

This relies in having an "isAllowed"=1 value in the lookup but could be adjusted to your scenario?

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...