Is it possible to configure an automatic lookup to use a multivalued OUTPUT field? I should add that the lookups matching field is multivalued.
If you want to get multi-value outputs then make sure you select "Overwrite field values" for the automatic lookup. In other words, make sure you see OUTPUT
and not OUTPUTNEW
.
By default, the UI sets automatic lookup to use OUTPUTNEW
, but that will only write to the output field if it does not exist already (which will result in only the first value of an mv-field to being looked up).
If you want to get multi-value outputs then make sure you select "Overwrite field values" for the automatic lookup. In other words, make sure you see OUTPUT
and not OUTPUTNEW
.
By default, the UI sets automatic lookup to use OUTPUTNEW
, but that will only write to the output field if it does not exist already (which will result in only the first value of an mv-field to being looked up).
If your input key is multivalued, then you may have a problem, depending on what you want to do.
For this answer, assume that the lookup is described as in lguinn's answer from 14-Mar-2012. And, assume that the event data that we are searching has a format something like this
14-Feb-2012 09:02:17 12345 1,2 other stuff
where the fields are the timestamp, a 5-digit field named id
and a multivalued-field named key
. Assume that you also have created a lookup named lookup_key
.
One easy way to make things work - depending on what you want for a final output -
yoursearchhere | mvexpand key | lookup lookup_key key OUTPUT resultX resultY | whatever else...
Everything else gets more complicated, and depends on exactly what data you have and what result you need.
So if this idea doesn't work for you, please
There isn't really enough info in this thread to go farther.
If you allow multiple matches in your lookup (which is the default) then you can get multi-value outputs. But it has to be set up in the lookup table itself. Here is an example: mydata.csv contains
key,resultX,resultY
1,aaa,bbb
2,ccc,ddd
2,ccc,eee
Notice that there are two rows with key=2. So if you do a lookup where key is the input field, and where resultX and resultY are output fields, you will get the values
key=2
resultX=ccc
resultY=ddd,eee (multi-valued)
Is this what you are looking for?
I am having the same problem... I have a multi-vlued field with 10 events. When I do a lookup, it only matches on the first event. Even with an mvexpand on the field (to separate each value of the multi-valued field into separate events), it actually matches on each event of the lookukp value from the first value of the field. I have events now with the wrong lookup value.
I understand what you are trying to do as I'm having the same issue as well. The automatic lookup should execute on each value of the multivalue field in the event and return a multivalue field. Did you happen to find a better solution then editing your events or using mvexpand?
I am having the same issue. Did you get a resolution on this?
Thanks.
Not exactly. My problem is I have a multivalued matching field (key in ex above) and I need to return all matching output, which will also make the output field multivalued. The behavior I'm seeing with the multivalued matching field is that it applies the first multivalued matching field to the lookup and skips the remaining.
Example: I have two keys (key=1 & key=2 example above) in an event that retrieves resultX using an automatic lookup. However the automatic lookup only returns the first match (aaa) when I need it to return (aaa & ccc) in a multivalued output field.