Splunk Search

How to output multivalue fields from lookups?

jdaves
Path Finder

Hi Splunk Answers,

I'm trying to do a lookup with a list of CVEs and the URL to them. The fields in the CSV file are QID, CVE-ID, and CVE-URL, which I'm outputting as cve_id and cve_url. I have events with a multi-valued field named 'qid'. I'd like to do a lookup on this field and output 2 new multi-valued fields, cve_id and cve_url. However, the lookup is just taking the first value for the 'qid' field and outputting the result from the CSV into cve_id and cve_url.

Here is my lookup command:

lookup qiddb_cve QID AS qid OUTPUTNEW "CVE-ID" AS cve_id "CVE-URL" AS cve_url

I found a similar issue here but it doesn't seem that there's a working solution there.

Has anyone found a way to generate a multi-valued output field from a lookup? I have to think someone's had this problem before, but I'm not finding a way to do it. Thanks!!

Tags (3)
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi jdaves,

Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:

host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2

This is used as auto lookup and provides for each matching host an multivalue field called must_run. I use this field to compare running processes against the must_run processes (using the Splunk ps.sh) like this:

base search here 
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time 
| makemv must_run 
| mvexpand must_run 
| where must_run!=myProc_running 
| do more Splunk-Fu here ....

This works perfectly.

Regarding your QID: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand before the lookup.

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi jdaves,

Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:

host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2

This is used as auto lookup and provides for each matching host an multivalue field called must_run. I use this field to compare running processes against the must_run processes (using the Splunk ps.sh) like this:

base search here 
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time 
| makemv must_run 
| mvexpand must_run 
| where must_run!=myProc_running 
| do more Splunk-Fu here ....

This works perfectly.

Regarding your QID: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand before the lookup.

hope this helps ...

cheers, MuS

jdaves
Path Finder

Awesome, thank you!! I'll try tweaking it and see if I can make it work.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi,

On Thursday I can check/verify how I did that. I use a multi value lookup for a list of hosts and get back a list of processes that should run on this host.
I'll get back .....

jdaves
Path Finder

That would be awesome! Please do when you get the chance.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...