Solved: Why does lookup have matching multivalue field?

adent · ‎10-18-2022

I am trying to add fields from a lookup table. However, the matching field is a multivalue field. I need to expand the matching field but do not know how to group the lookup command with a multivalue command

lookup file assest.csv:

ip, host

10.10.1.1|10.100.1.1|10.10.200.1, srv1

10.10.1.2|10.100.1.2|10.10.200.2, srv2

original search that returns an IP value | [lookup assets.csv ip OUTPUT host |makemv delim="|" ip]

does not work

johnhuang · ‎10-18-2022

You can either 1. migrate your csv lookup into a kvstore which supports multivalues or 2. expand the IP values into its own record and save it to a new lookup.

For 2:

| inputlookup assest.csv
| makemv delim="|" ip
| mvexpand ip
| outputlookup assets_expanded.csv

View solution in original post

johnhuang · ‎10-18-2022

You can either 1. migrate your csv lookup into a kvstore which supports multivalues or 2. expand the IP values into its own record and save it to a new lookup.

For 2:

| inputlookup assest.csv
| makemv delim="|" ip
| mvexpand ip
| outputlookup assets_expanded.csv

ITWhisperer · ‎10-18-2022

I am not sure I understand what you are trying to do - if you have a multi-value field in your events and you want to look up these values, you could expand the multi-value field first

| mvexpand ip
| lookup assets.csv ip OUTPUT host

adent · ‎10-18-2022

The MV IP is in the lookup table. The original search returns a single IP value. The solution above about creating a new lookup table sounds easiest.

Why does lookup have matching multivalue field?

lookup

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users