Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you enforce a lookup match for all values of a multivalue field?

Murali2888
Communicator
‎02-04-2019 03:04 PM

I have a multivalue field in my events and I want to do a lookup against a multivalue field in kvstore field. Event field can either have all values of kvstore mv field or a subset of it. Existing lookup command matches at least one of the values. I want to enforce a match only if all values are present in the kvstore field.

kvstorefieldA
A1 A2 A3
B1 B2 B3 B4 B5

event fieldX
A1 A2 A3
A1 A4

How can I enforce that only the first value of fieldX matches and the second does not?

0 Karma
Reply

woodcock
Esteemed Legend
‎02-13-2019 12:15 PM

You cannot directly but you can easily adjust your situation to make it work. First fix your lookup with this search:

|inputlookup YourLookupHere
| stats values(kvstorefieldA) AS kvstorefieldA BY Your Other Field Names Here
| nomv kvstorefieldA
| outputlookup YourLookupHere

Now adjust your search like this:

Your Search Stuff
| eval kvstorefieldA=mvdedup(mvsort(kvstorefieldA))
| nomv kvstorefieldA
| lookup YourLookupHere kvstorefieldA

The nomv command flattens the mulit-valued field into a space-delimited single-value field.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...