Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you enforce a lookup match for all values of a multivalue field?

Murali2888
Communicator
‎02-04-2019 03:04 PM

I have a multivalue field in my events and I want to do a lookup against a multivalue field in kvstore field. Event field can either have all values of kvstore mv field or a subset of it. Existing lookup command matches at least one of the values. I want to enforce a match only if all values are present in the kvstore field.

kvstorefieldA
A1 A2 A3
B1 B2 B3 B4 B5

event fieldX
A1 A2 A3
A1 A4

How can I enforce that only the first value of fieldX matches and the second does not?

0 Karma
Reply

woodcock
Esteemed Legend
‎02-13-2019 12:15 PM

You cannot directly but you can easily adjust your situation to make it work. First fix your lookup with this search:

|inputlookup YourLookupHere
| stats values(kvstorefieldA) AS kvstorefieldA BY Your Other Field Names Here
| nomv kvstorefieldA
| outputlookup YourLookupHere

Now adjust your search like this:

Your Search Stuff
| eval kvstorefieldA=mvdedup(mvsort(kvstorefieldA))
| nomv kvstorefieldA
| lookup YourLookupHere kvstorefieldA

The nomv command flattens the mulit-valued field into a space-delimited single-value field.

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...