Solved: Re: Lookup multiple values for one field

gauldridge · ‎03-05-2013

My lookup table contains two columns: one for the input field and one for the value which will be populated into the new field created by my lookup.

If the lookup table does not contain unique values in the input field column, how can I get every matching value from the "value" coulmn.

My thinking was that the "Maximum matches" field in "Advanced Options" under the "Lookup Definition" menu would allow more than one value to be returned for a specific input field. If so, how are the values returned? If not, how can I get all the values in the lookup table that correspond to the input field?

lguinn2 · ‎03-05-2013

You should try it and look at the results. Yes, Splunk will return more than 1 match. If there are multiple matches, the output fields are created as multi-valued fields.

There are a variety of commands and functions within Splunk that can manipulate multi-valued fields. The eval command has a number of useful functions.

View solution in original post

lguinn2 · ‎03-05-2013

You should try it and look at the results. Yes, Splunk will return more than 1 match. If there are multiple matches, the output fields are created as multi-valued fields.

There are a variety of commands and functions within Splunk that can manipulate multi-valued fields. The eval command has a number of useful functions.

gauldridge · ‎03-09-2013

Thanks. I didn't realize I was actually getting all of the values returned. I was expecting something like key=value1,value2,value3 not key=value1, key=value2, key=value3. I hadn't messed with multi-value fields before this.

Lookup multiple values for one field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases