Splunk Search

Issue of lookup csv file and output multiple values

leo_wang
Path Finder

Hi,

When I lookup a csv file, and match multiple values, it will output as a multi-value fields .
Like that :
alt text

But, if that possible to expand the result as multiple records instead of multi-value record.
( like the result of "join" command does)
What I want will look like that :
alt text

I known there is a "mvexpand" command, but this command only accept only 1 fields to expand the record.
And because my lookup file is very large and it is the time-based lookup, so it is difficult to change the "join" command instead the "lookup".

Any idea?

0 Karma
1 Solution

mayurr98
Super Champion

well you are certainly looking to expand multiple fields then you would need to do mvzip and then mvexpand
have a look at this doc for mvzip
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/MultivalueEvalFunctions#mvzip.28X....

for example, if you have 4 fields then try

| eval a=mvzip(field1,mvzip(field2,mvzip(field3,field4))) | mvexpand a | then use regex to seperate it out

let me know if this helps!

View solution in original post

0 Karma

mayurr98
Super Champion

well you are certainly looking to expand multiple fields then you would need to do mvzip and then mvexpand
have a look at this doc for mvzip
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/MultivalueEvalFunctions#mvzip.28X....

for example, if you have 4 fields then try

| eval a=mvzip(field1,mvzip(field2,mvzip(field3,field4))) | mvexpand a | then use regex to seperate it out

let me know if this helps!

0 Karma

leo_wang
Path Finder

Thanks for your idea.
It sound workable, but I am worried about the performance because there will be huge volume of data to process.

But it still worth a try~

0 Karma

landen99
Motivator

performance should not be an issue here

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...