Splunk Search

multivalued OUTPUT field for my automatic lookup

Communicator

Is it possible to configure an automatic lookup to use a multivalued OUTPUT field? I should add that the lookups matching field is multivalued.

Tags (2)
1 Solution

Path Finder

If you want to get multi-value outputs then make sure you select "Overwrite field values" for the automatic lookup. In other words, make sure you see OUTPUT and not OUTPUTNEW.

By default, the UI sets automatic lookup to use OUTPUTNEW, but that will only write to the output field if it does not exist already (which will result in only the first value of an mv-field to being looked up).

View solution in original post

Path Finder

If you want to get multi-value outputs then make sure you select "Overwrite field values" for the automatic lookup. In other words, make sure you see OUTPUT and not OUTPUTNEW.

By default, the UI sets automatic lookup to use OUTPUTNEW, but that will only write to the output field if it does not exist already (which will result in only the first value of an mv-field to being looked up).

View solution in original post

Legend

If your input key is multivalued, then you may have a problem, depending on what you want to do.

For this answer, assume that the lookup is described as in lguinn's answer from 14-Mar-2012. And, assume that the event data that we are searching has a format something like this

14-Feb-2012 09:02:17 12345 1,2 other stuff

where the fields are the timestamp, a 5-digit field named id and a multivalued-field named key. Assume that you also have created a lookup named lookup_key.

One easy way to make things work - depending on what you want for a final output -

yoursearchhere | mvexpand key | lookup lookup_key key OUTPUT resultX resultY | whatever else...

Everything else gets more complicated, and depends on exactly what data you have and what result you need.

So if this idea doesn't work for you, please

  • create a new question
  • include a few sample events (sanitized of real server names, user names etc)
  • description of the important fields (and which ones can be multi-valued)
  • an example of the lookup table (a couple lines should do here)
  • explanation, mock-up or something to describe the results that you are trying to get

There isn't really enough info in this thread to go farther.

0 Karma

Legend

If you allow multiple matches in your lookup (which is the default) then you can get multi-value outputs. But it has to be set up in the lookup table itself. Here is an example: mydata.csv contains

key,resultX,resultY

1,aaa,bbb

2,ccc,ddd

2,ccc,eee

Notice that there are two rows with key=2. So if you do a lookup where key is the input field, and where resultX and resultY are output fields, you will get the values

key=2

resultX=ccc

resultY=ddd,eee (multi-valued)

Is this what you are looking for?

0 Karma

Path Finder

I am having the same problem... I have a multi-vlued field with 10 events. When I do a lookup, it only matches on the first event. Even with an mvexpand on the field (to separate each value of the multi-valued field into separate events), it actually matches on each event of the lookukp value from the first value of the field. I have events now with the wrong lookup value.

0 Karma

Contributor

I understand what you are trying to do as I'm having the same issue as well. The automatic lookup should execute on each value of the multivalue field in the event and return a multivalue field. Did you happen to find a better solution then editing your events or using mvexpand?

0 Karma

Communicator

I am having the same issue. Did you get a resolution on this?
Thanks.

0 Karma

Communicator

Not exactly. My problem is I have a multivalued matching field (key in ex above) and I need to return all matching output, which will also make the output field multivalued. The behavior I'm seeing with the multivalued matching field is that it applies the first multivalued matching field to the lookup and skips the remaining.

Example: I have two keys (key=1 & key=2 example above) in an event that retrieves resultX using an automatic lookup. However the automatic lookup only returns the first match (aaa) when I need it to return (aaa & ccc) in a multivalued output field.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!