Splunk Search

Coalesce and multivalued fields

responsys_cm
Builder

I'm seeing some weird issues with using coalesce in an eval statement with multivalued fields. Prior to the eval statement, if I export the field to a lookup table, the field's data looks like:

"1234,

5678,

9876,

3456"

If I do use coalesce to combine the first non-null value of one of these multivalued fields, the output in the lookup table looks like:

"39750

39751

39752

39753

39754

45878",

Searches that reference that field in the lookup table come back with an error:

Empty csv lookup file (contains only a header) for table 'nessus_plugin_reference_lookup': C:\Program Files\Splunk\etc\apps\ResponsysSecurityConsole\lookups\nessus_plugin_reference_lookup.csv

But the lookup table is like 30 MB in size. If I drop the field created by the coalesce statement, there aren't any problems.

How can I turn the post-coalesce field back into something that conforms to the normal multi-valued field? I've tried things like | makemv delim="\n" or | makemv delim="$", but that doesn't break up the data correctly.

I've also tried using rex after the coalesce statement to match on \d+ with an appropriate max_match=X value, but the field still isn't comma separated within quotes when output to a lookup table.

Thx.

Craig

Tags (1)
0 Karma

responsys_cm
Builder

I still don't know why coalesce removes the commas that delimit a multivalued field, but running | makemv delim="," fieldname after the coalesce statement puts the commas back.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...