So the basic idea of this is I have an event that has multiple entries within the same Data field. I need to join info from the database on these entries. With my current join, I only get data joined when the event has only 1 entry in this field
ie:
Event1-
Session.Username
Data.X.Number- 1,2,3,4,5
Event 2-
Session.Username2
Data.X.Number-1
Want to join information from the DB, but in the DB, each line is stored as
Col1 Col2 Col3
Username, 1, Info I need
Username, 2 , Info I need
Username, 3 , Info I need
Username2, 1, Info I need
Is it possible to join on both fields when there is more than 1 value in Data.X.Number so I can get Col3 associated to each Number? In the above, it will join correctly with Event2, but Event1 won't get any information from the DB.
I think the answer is to create a separate event for each number the Data.X.Number field. If that field is already a multi-valued field in Splunk, then just use mvexpand. If it's not a multi-valued, then make it one first and then use mvexpand. Once you do that, then in your example above, Event 1 will be broken out into 5 separate events in your search results, all of them will be the same except for the Data.X.Number field.
For example
[your base event search] | makemv delim="," Data.X.Number | mvexpand Data.X.Number
At that point, I think your join should work.
Can you post your current queries (both) with names of available fields?