Solved: Issue of lookup csv file and output multiple value...

leo_wang · ‎04-08-2018

Hi,

When I lookup a csv file, and match multiple values, it will output as a multi-value fields .
Like that :

But, if that possible to expand the result as multiple records instead of multi-value record.
( like the result of "join" command does)
What I want will look like that :

I known there is a "mvexpand" command, but this command only accept only 1 fields to expand the record.
And because my lookup file is very large and it is the time-based lookup, so it is difficult to change the "join" command instead the "lookup".

Any idea?

mayurr98 · ‎04-08-2018

well you are certainly looking to expand multiple fields then you would need to do mvzip and then mvexpand
have a look at this doc for mvzip
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/MultivalueEvalFunctions#mvzip.28X....

for example, if you have 4 fields then try

| eval a=mvzip(field1,mvzip(field2,mvzip(field3,field4))) | mvexpand a | then use regex to seperate it out

let me know if this helps!

View solution in original post

mayurr98 · ‎04-08-2018

well you are certainly looking to expand multiple fields then you would need to do mvzip and then mvexpand
have a look at this doc for mvzip
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/MultivalueEvalFunctions#mvzip.28X....

for example, if you have 4 fields then try

| eval a=mvzip(field1,mvzip(field2,mvzip(field3,field4))) | mvexpand a | then use regex to seperate it out

let me know if this helps!

leo_wang · ‎04-10-2018

Thanks for your idea.
It sound workable, but I am worried about the performance because there will be huge volume of data to process.

But it still worth a try~

landen99 · ‎04-04-2019

performance should not be an issue here

Issue of lookup csv file and output multiple values

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life