Hi Splunk Answers,
I'm trying to do a lookup with a list of CVEs and the URL to them. The fields in the CSV file are QID, CVE-ID, and CVE-URL, which I'm outputting as cve_id and cve_url. I have events with a multi-valued field named 'qid'. I'd like to do a lookup on this field and output 2 new multi-valued fields, cve_id and cve_url. However, the lookup is just taking the first value for the 'qid' field and outputting the result from the CSV into cve_id and cve_url.
Here is my lookup command:
lookup qiddb_cve QID AS qid OUTPUTNEW "CVE-ID" AS cve_id "CVE-URL" AS cve_url
I found a similar issue here but it doesn't seem that there's a working solution there.
Has anyone found a way to generate a multi-valued output field from a lookup? I have to think someone's had this problem before, but I'm not finding a way to do it. Thanks!!
Hi jdaves,
Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:
host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2
This is used as auto lookup and provides for each matching host an multivalue field called must_run
. I use this field to compare running processes against the must_run
processes (using the Splunk ps.sh) like this:
base search here
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time
| makemv must_run
| mvexpand must_run
| where must_run!=myProc_running
| do more Splunk-Fu here ....
This works perfectly.
Regarding your QID
: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand
before the lookup.
hope this helps ...
cheers, MuS
Hi jdaves,
Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:
host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2
This is used as auto lookup and provides for each matching host an multivalue field called must_run
. I use this field to compare running processes against the must_run
processes (using the Splunk ps.sh) like this:
base search here
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time
| makemv must_run
| mvexpand must_run
| where must_run!=myProc_running
| do more Splunk-Fu here ....
This works perfectly.
Regarding your QID
: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand
before the lookup.
hope this helps ...
cheers, MuS
Awesome, thank you!! I'll try tweaking it and see if I can make it work.
Hi,
On Thursday I can check/verify how I did that. I use a multi value lookup for a list of hosts and get back a list of processes that should run on this host.
I'll get back .....
That would be awesome! Please do when you get the chance.