Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to output multivalue fields from lookups?

jdaves
Path Finder
‎10-28-2014 08:08 AM

Hi Splunk Answers,

I'm trying to do a lookup with a list of CVEs and the URL to them. The fields in the CSV file are QID, CVE-ID, and CVE-URL, which I'm outputting as cve_id and cve_url. I have events with a multi-valued field named 'qid'. I'd like to do a lookup on this field and output 2 new multi-valued fields, cve_id and cve_url. However, the lookup is just taking the first value for the 'qid' field and outputting the result from the CSV into cve_id and cve_url.

Here is my lookup command:

lookup qiddb_cve QID AS qid OUTPUTNEW "CVE-ID" AS cve_id "CVE-URL" AS cve_url

I found a similar issue here but it doesn't seem that there's a working solution there.

Has anyone found a way to generate a multi-valued output field from a lookup? I have to think someone's had this problem before, but I'm not finding a way to do it. Thanks!!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-30-2014 03:19 AM

Hi jdaves,

Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:

host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2

This is used as auto lookup and provides for each matching host an multivalue field called must_run. I use this field to compare running processes against the must_run processes (using the Splunk ps.sh) like this:

base search here 
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time 
| makemv must_run 
| mvexpand must_run 
| where must_run!=myProc_running 
| do more Splunk-Fu here ....

This works perfectly.

Regarding your QID: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand before the lookup.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-30-2014 03:19 AM

Hi jdaves,

Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:

host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2

This is used as auto lookup and provides for each matching host an multivalue field called must_run. I use this field to compare running processes against the must_run processes (using the Splunk ps.sh) like this:

base search here 
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time 
| makemv must_run 
| mvexpand must_run 
| where must_run!=myProc_running 
| do more Splunk-Fu here ....

This works perfectly.

Regarding your QID: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand before the lookup.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

jdaves
Path Finder
‎11-03-2014 07:57 AM

Awesome, thank you!! I'll try tweaking it and see if I can make it work.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-28-2014 01:10 PM

Hi,

On Thursday I can check/verify how I did that. I use a multi value lookup for a list of hosts and get back a list of processes that should run on this host.
I'll get back .....

Reply
Solved! Jump to solution

jdaves
Path Finder
‎10-28-2014 01:11 PM

That would be awesome! Please do when you get the chance.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...