Splunk Search

Why is Lookup changing MV field to non MV?

morgantay96
Path Finder

Hello I am a bit confused here but I have a search that runs and creates a multivalue  field called "tags{}.name". This is a multivalue field pulled from JSON data. However when I then use the output of that search in a different search the field is no longer Multivalue and breaks if I try to split it. I need to either make this field delimited or ensure it remains a multi value field. Any help?

Search 1, Field is multivalue

Untitled.pngSearch 2, Field is no longer multivalue after using lookup.

Untitled.png



 

Labels (2)
0 Karma
1 Solution

morgantay96
Path Finder

Solution was to use

| eval [new_field] = mvjoin([old_field], ";")

 

View solution in original post

morgantay96
Path Finder

Solution was to use

| eval [new_field] = mvjoin([old_field], ";")

 

PickleRick
SplunkTrust
SplunkTrust

Wait a second. You're trying to do an outputlookup and want the subsequent lookup from a lookup created that way to return a mv-field? IMHO it won't work this way. How is Splunk supposed to store the mv-field in a flat csv file? I don't think lookups are even supposed to hold mv-fields at all.

0 Karma

morgantay96
Path Finder

Ok, that makes sense. So is there a way to squash that MV field before output to have the values delimited in some way to later expand?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yep. Exactly like you did - mvjoin()<->split()

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...