Splunk Search

Why is mvexpand not working on lookup?

GersonGarcia
Path Finder

Hello,

I am trying to create dashboard input based on lookup table. I have simple lookup with monitor name and list of all components it may apply:

 

$ cat Itron_INS_monitors.csv
"Monitor_Name",Component
"AMM::DB::Unscheduled Jobs",DB
"APP:::Tibco::ERROR: Accept() failed: too many open files",TIBCO
"App::All::DB Connection Pool Exhausted","FWU
GMR
MPC
MT
NEM
ODS
THIRDPARTY
TMB
RMACA
CAAS
HCM
NEC
DMS
DLCA
*
FPS
SSNAGENT
SSNAGENTFORWARDER
TRAPROUTER
AMMWSROUTE
AMMJMSROUTE
ODSJMSROUTE
HCMWSROUTE
MPCWSROUTE
SENSORIQWSROUTE
ODSWSROUTE
AMMMULTISPEAK
REG
SAM
PM
SENSORIQ
TBR
ACTIVEMONITOR
ZCU"

 

Screen Shot 2022-07-25 at 10.14.44 AM.png

For some reason, mvexpand does not work.

Screen Shot 2022-07-25 at 10.17.13 AM.png

It is not memory, because my csv file has just ~100 lines.

Please help!!!

Thank you

Labels (1)
Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@GersonGarcia 

You have to put a new line in the split function

|eval Component=split(Component,"
")

SPL.

| inputlookup Itron_INS_monitors.csv 
| table Monitor_Name Component
|eval Component=split(Component,"
")
| mvexpand Component

 

Screenshot 2022-07-25 at 9.23.26 PM.png

 

KV 

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

mvexpand doesn't work because the field is not a multi-value field.  It's a single-value field with embedded newlines.  Try using the split function to break up the field then mvexpand should work.

... | fields Monitor_Name Component 
| eval Component=split(Component, "
")
| mvexpand Component

 

---
If this reply helps you, Karma would be appreciated.

GersonGarcia
Path Finder

Yes, that works... Interesting why \n didn't...

Screen Shot 2022-07-25 at 10.59.59 AM.png

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's because the split function does not accept regular expressions.  It expects plain text.

---
If this reply helps you, Karma would be appreciated.

GersonGarcia
Path Finder

@richgalloway 

I tried both:

Screen Shot 2022-07-25 at 10.35.33 AM.png

And:

Screen Shot 2022-07-25 at 10.37.07 AM.png

Thank you!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@GersonGarcia 

You have to put a new line in the split function

|eval Component=split(Component,"
")

SPL.

| inputlookup Itron_INS_monitors.csv 
| table Monitor_Name Component
|eval Component=split(Component,"
")
| mvexpand Component

 

Screenshot 2022-07-25 at 9.23.26 PM.png

 

KV 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...