Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lookup against an Array

gbam
Explorer
‎11-10-2023 09:57 AM

I'm trying to run a lookup against a list of values in an array.  I have a CSV which look as follows:

idxy
123DataData2
321DataData2
456Data3Data3

 

The field from the search is is an array which looks as follows:

["123", "321", 456"]

I want to map the lookup value.  Do I need to iterate over the field or can I use a lookup or is the best option?

Labels (4)
Labels
0 Karma
Reply

tscroggins
Champion
‎11-10-2023 01:19 PM

Hi @gbam,

Splunk provides an eval function, json_array_to_mv, to convert JSON-like array values to multivalued field values. After conversion, you can use the lookup command just as you would for any other field:

| makeresults
| eval id="[\"123\", \"321\", \"456\"]"
| eval id=json_array_to_mv(id, false())
| lookup gbam_lookup.csv id
_time id x y
2023-11-10 16:14:53 123
321
456		 Data
Data
Data3		 Data2
Data2
Data3

 

Index 0 of multivalued field id corresponds to index 0 of multivalued fields x and y, index 1 corresponds to index 1, etc.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...