One of my business partners wants to create a search on his Akamai data taking the Rule IDs from the WAS Info field and match those to a lookup table to get the textual reference to the Rule ID code. I am not sure how to match to a lookup table when the field can have multiple values separated by ":"; such as this:
xxxx_11111|950901:973333:973335:981173:981242:981318|
Separating the different rule IDs is a simple rex, but how do I use that multi-value field to match up against the lookup table to get all the text meanings for those codes?
I don't know how to make Splunk handle a multi-value input key, but you could do this, assuming that the field is named WAS_Info:
yoursearchhere
| makemv delim=":" WAS_Info
| mvexpand WAS_Info
| lookup your_lookup_name WAS_Info as RuleID OUTPUT RuleText
then do whatever you want...
Here is some additional info: Manipulate and Evaluate Multivalued Fields
Thank you, this has provided just what I needed.