Solved: Why is Lookup changing MV field to non MV?

morgantay96 · ‎06-20-2022

Hello I am a bit confused here but I have a search that runs and creates a multivalue field called "tags{}.name". This is a multivalue field pulled from JSON data. However when I then use the output of that search in a different search the field is no longer Multivalue and breaks if I try to split it. I need to either make this field delimited or ensure it remains a multi value field. Any help?

Search 1, Field is multivalue

Search 2, Field is no longer multivalue after using lookup.

morgantay96 · ‎06-20-2022

Solution was to use

| eval [new_field] = mvjoin([old_field], ";")

View solution in original post

morgantay96 · ‎06-20-2022

Solution was to use

| eval [new_field] = mvjoin([old_field], ";")

PickleRick · ‎06-20-2022

Wait a second. You're trying to do an outputlookup and want the subsequent lookup from a lookup created that way to return a mv-field? IMHO it won't work this way. How is Splunk supposed to store the mv-field in a flat csv file? I don't think lookups are even supposed to hold mv-fields at all.

morgantay96 · ‎06-20-2022

Ok, that makes sense. So is there a way to squash that MV field before output to have the values delimited in some way to later expand?

PickleRick · ‎06-20-2022

Yep. Exactly like you did - mvjoin()<->split()

Why is Lookup changing MV field to non MV?

fields

lookup

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!