Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Lookup changing MV field to non MV?

morgantay96
Path Finder
‎06-20-2022 12:39 PM

Hello I am a bit confused here but I have a search that runs and creates a multivalue  field called "tags{}.name". This is a multivalue field pulled from JSON data. However when I then use the output of that search in a different search the field is no longer Multivalue and breaks if I try to split it. I need to either make this field delimited or ensure it remains a multi value field. Any help?

Search 1, Field is multivalue

Untitled.pngSearch 2, Field is no longer multivalue after using lookup.

Untitled.png



 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

morgantay96
Path Finder
‎06-20-2022 01:19 PM

Solution was to use

| eval [new_field] = mvjoin([old_field], ";")

 

View solution in original post

Reply
Solved! Jump to solution
Solution

morgantay96
Path Finder
‎06-20-2022 01:19 PM

Solution was to use

| eval [new_field] = mvjoin([old_field], ";")

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎06-20-2022 12:49 PM

Wait a second. You're trying to do an outputlookup and want the subsequent lookup from a lookup created that way to return a mv-field? IMHO it won't work this way. How is Splunk supposed to store the mv-field in a flat csv file? I don't think lookups are even supposed to hold mv-fields at all.

0 Karma
Reply
Solved! Jump to solution

morgantay96
Path Finder
‎06-20-2022 01:05 PM

Ok, that makes sense. So is there a way to squash that MV field before output to have the values delimited in some way to later expand?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎06-20-2022 01:32 PM

Yep. Exactly like you did - mvjoin()<->split()

0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...