Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup multiple values for one field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My lookup table contains two columns: one for the input field and one for the value which will be populated into the new field created by my lookup.
If the lookup table does not contain unique values in the input field column, how can I get every matching value from the "value" coulmn.
My thinking was that the "Maximum matches" field in "Advanced Options" under the "Lookup Definition" menu would allow more than one value to be returned for a specific input field. If so, how are the values returned? If not, how can I get all the values in the lookup table that correspond to the input field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should try it and look at the results. Yes, Splunk will return more than 1 match. If there are multiple matches, the output fields are created as multi-valued fields.
There are a variety of commands and functions within Splunk that can manipulate multi-valued fields. The eval command has a number of useful functions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should try it and look at the results. Yes, Splunk will return more than 1 match. If there are multiple matches, the output fields are created as multi-valued fields.
There are a variety of commands and functions within Splunk that can manipulate multi-valued fields. The eval command has a number of useful functions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I didn't realize I was actually getting all of the values returned. I was expecting something like key=value1,value2,value3 not key=value1, key=value2, key=value3. I hadn't messed with multi-value fields before this.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
