Splunk Search

Why does lookup have matching multivalue field?

adent
Explorer

I am trying to add fields from a lookup table. However, the matching field is a multivalue field. I need to expand the matching field but do not know how to group the lookup command with a multivalue command

lookup file assest.csv: 

ip, host

10.10.1.1|10.100.1.1|10.10.200.1, srv1

10.10.1.2|10.100.1.2|10.10.200.2, srv2

original search that returns an IP value | [lookup assets.csv ip OUTPUT host |makemv delim="|" ip]

does not work

 

Labels (1)
Tags (2)
0 Karma
1 Solution

johnhuang
Motivator

You can either 1. migrate your csv lookup into a kvstore which supports multivalues or 2. expand the IP values into its own record and save it to a new lookup.

For 2:

| inputlookup assest.csv
| makemv delim="|" ip
| mvexpand ip
| outputlookup assets_expanded.csv

 

View solution in original post

johnhuang
Motivator

You can either 1. migrate your csv lookup into a kvstore which supports multivalues or 2. expand the IP values into its own record and save it to a new lookup.

For 2:

| inputlookup assest.csv
| makemv delim="|" ip
| mvexpand ip
| outputlookup assets_expanded.csv

 

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand what you are trying to do - if you have a multi-value field in your events and you want to look up these values, you could expand the multi-value field first

| mvexpand ip
| lookup assets.csv ip OUTPUT host
0 Karma

adent
Explorer

The MV IP is in the lookup table.  The original search returns a single IP value. The solution above about creating a new lookup table sounds easiest.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...