- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to output multivalue fields from lookups?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunk Answers,
I'm trying to do a lookup with a list of CVEs and the URL to them. The fields in the CSV file are QID, CVE-ID, and CVE-URL, which I'm outputting as cve_id and cve_url. I have events with a multi-valued field named 'qid'. I'd like to do a lookup on this field and output 2 new multi-valued fields, cve_id and cve_url. However, the lookup is just taking the first value for the 'qid' field and outputting the result from the CSV into cve_id and cve_url.
Here is my lookup command:
lookup qiddb_cve QID AS qid OUTPUTNEW "CVE-ID" AS cve_id "CVE-URL" AS cve_url
I found a similar issue here but it doesn't seem that there's a working solution there.
Has anyone found a way to generate a multi-valued output field from a lookup? I have to think someone's had this problem before, but I'm not finding a way to do it. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jdaves,
Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:
host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2
This is used as auto lookup and provides for each matching host an multivalue field called must_run. I use this field to compare running processes against the must_run processes (using the Splunk ps.sh) like this:
base search here
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time
| makemv must_run
| mvexpand must_run
| where must_run!=myProc_running
| do more Splunk-Fu here ....
This works perfectly.
Regarding your QID: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand before the lookup.
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jdaves,
Okay maybe this is not exactly the same use case....but I use a lookup file that looks like this:
host,number,processlist
hostA,3,process1 process2 process3
hostB,2,process1 process2
This is used as auto lookup and provides for each matching host an multivalue field called must_run. I use this field to compare running processes against the must_run processes (using the Splunk ps.sh) like this:
base search here
| multikv fields COMMAND filter myProc
| stats values(COMMAND) as myProc_running values(must_run) AS must_run by host _time
| makemv must_run
| mvexpand must_run
| where must_run!=myProc_running
| do more Splunk-Fu here ....
This works perfectly.
Regarding your QID: is this mutlivalued in the lookup or in the search? if it is in the search, you could use makemv/mvexpand before the lookup.
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, thank you!! I'll try tweaking it and see if I can make it work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
On Thursday I can check/verify how I did that. I use a multi value lookup for a list of hosts and get back a list of processes that should run on this host.
I'll get back .....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would be awesome! Please do when you get the chance.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
