I'm seeing some weird issues with using coalesce in an eval statement with multivalued fields. Prior to the eval statement, if I export the field to a lookup table, the field's data looks like:

"1234,

5678,

9876,

3456"

If I do use coalesce to combine the first non-null value of one of these multivalued fields, the output in the lookup table looks like:

"39750

39751

39752

39753

39754

45878",

Searches that reference that field in the lookup table come back with an error:

Empty csv lookup file (contains only a header) for table 'nessus_plugin_reference_lookup': C:\Program Files\Splunk\etc\apps\ResponsysSecurityConsole\lookups\nessus_plugin_reference_lookup.csv

But the lookup table is like 30 MB in size. If I drop the field created by the coalesce statement, there aren't any problems.

How can I turn the post-coalesce field back into something that conforms to the normal multi-valued field? I've tried things like | makemv delim="\n" or | makemv delim="$", but that doesn't break up the data correctly.

I've also tried using rex after the coalesce statement to match on \d+ with an appropriate max_match=X value, but the field still isn't comma separated within quotes when output to a lookup table.

Thx.

Craig