Splunk Search

multivalued OUTPUT field for my automatic lookup

carmackd
Communicator

Is it possible to configure an automatic lookup to use a multivalued OUTPUT field? I should add that the lookups matching field is multivalued.

Tags (2)
1 Solution

dvb
Path Finder

If you want to get multi-value outputs then make sure you select "Overwrite field values" for the automatic lookup. In other words, make sure you see OUTPUT and not OUTPUTNEW.

By default, the UI sets automatic lookup to use OUTPUTNEW, but that will only write to the output field if it does not exist already (which will result in only the first value of an mv-field to being looked up).

View solution in original post

dvb
Path Finder

If you want to get multi-value outputs then make sure you select "Overwrite field values" for the automatic lookup. In other words, make sure you see OUTPUT and not OUTPUTNEW.

By default, the UI sets automatic lookup to use OUTPUTNEW, but that will only write to the output field if it does not exist already (which will result in only the first value of an mv-field to being looked up).

lguinn2
Legend

If your input key is multivalued, then you may have a problem, depending on what you want to do.

For this answer, assume that the lookup is described as in lguinn's answer from 14-Mar-2012. And, assume that the event data that we are searching has a format something like this

14-Feb-2012 09:02:17 12345 1,2 other stuff

where the fields are the timestamp, a 5-digit field named id and a multivalued-field named key. Assume that you also have created a lookup named lookup_key.

One easy way to make things work - depending on what you want for a final output -

yoursearchhere | mvexpand key | lookup lookup_key key OUTPUT resultX resultY | whatever else...

Everything else gets more complicated, and depends on exactly what data you have and what result you need.

So if this idea doesn't work for you, please

  • create a new question
  • include a few sample events (sanitized of real server names, user names etc)
  • description of the important fields (and which ones can be multi-valued)
  • an example of the lookup table (a couple lines should do here)
  • explanation, mock-up or something to describe the results that you are trying to get

There isn't really enough info in this thread to go farther.

0 Karma

lguinn2
Legend

If you allow multiple matches in your lookup (which is the default) then you can get multi-value outputs. But it has to be set up in the lookup table itself. Here is an example: mydata.csv contains

key,resultX,resultY

1,aaa,bbb

2,ccc,ddd

2,ccc,eee

Notice that there are two rows with key=2. So if you do a lookup where key is the input field, and where resultX and resultY are output fields, you will get the values

key=2

resultX=ccc

resultY=ddd,eee (multi-valued)

Is this what you are looking for?

0 Karma

caseypike
Path Finder

I am having the same problem... I have a multi-vlued field with 10 events. When I do a lookup, it only matches on the first event. Even with an mvexpand on the field (to separate each value of the multi-valued field into separate events), it actually matches on each event of the lookukp value from the first value of the field. I have events now with the wrong lookup value.

0 Karma

jpass
Contributor

I understand what you are trying to do as I'm having the same issue as well. The automatic lookup should execute on each value of the multivalue field in the event and return a multivalue field. Did you happen to find a better solution then editing your events or using mvexpand?

0 Karma

rdownie
Communicator

I am having the same issue. Did you get a resolution on this?
Thanks.

0 Karma

carmackd
Communicator

Not exactly. My problem is I have a multivalued matching field (key in ex above) and I need to return all matching output, which will also make the output field multivalued. The behavior I'm seeing with the multivalued matching field is that it applies the first multivalued matching field to the lookup and skips the remaining.

Example: I have two keys (key=1 & key=2 example above) in an event that retrieves resultX using an automatic lookup. However the automatic lookup only returns the first match (aaa) when I need it to return (aaa & ccc) in a multivalued output field.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...