Splunk Search

How to have the lookup multivalue field return the 1st match?

brdr
Contributor

hello,

I have a lookup table that has host to user correlation... ex;

Host, User
hosta, user1
hostb, user2
hostb, user3

My understanding is that when I match on hostb via lookup below I will get field Authentication.user back as a multivalue field. But when I try to use 'mv' commands to get first user for hostb (user2) I get blank field for top_user. Why? thx.

| makeresults | eval host="hostb"
    | table host
    | lookup host-to-users.csv Authentication.src as host OUTPUT Authentication.user
    | eval top_user=mvindex(Authentication.user,0)
    | table host Authentication.user top_user
0 Karma
1 Solution

woodcock
Esteemed Legend

You have a mismatch in field names and wrong ordering to boot, with a dash of possible misinterpretation of . as concatenation operator. Try this:

| makeresults | eval host="hostb"
| table host
| lookup host-to-users.csv host AS Authentication.src OUTPUT user AS Authentication.user
| eval top_user=mvindex('Authentication.user', 0)
| table host Authentication.user top_user

View solution in original post

woodcock
Esteemed Legend

You have a mismatch in field names and wrong ordering to boot, with a dash of possible misinterpretation of . as concatenation operator. Try this:

| makeresults | eval host="hostb"
| table host
| lookup host-to-users.csv host AS Authentication.src OUTPUT user AS Authentication.user
| eval top_user=mvindex('Authentication.user', 0)
| table host Authentication.user top_user

brdr
Contributor

thx for response as always... I did have it backwards. the headers in the lookup file should have been Authentication.src, Authentication.user..

The thing that was catching me up is the single quotes around the first parameter in the mvindex() function. As soon as I added the quotes the commands I entered worked.

Thx again.

0 Karma

woodcock
Esteemed Legend

I hate non-alphanumeric characters in field names, especially spaces and periods.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If your lookup fields are host and user (that exact name), you're using wrong order in your lookup invocation. Do you get any value in Authentication.user right now?

0 Karma

brdr
Contributor

Hey somesoni2, yes I get the appropriate number of user(s) that match on host. Just not sure why I can't operate on the users mv field to get the first (value) user.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...