Hi Splunk Answers,
I'm trying to do a lookup with a list of CVEs and the URL to them. The fields in the CSV file are QID, CVE-ID, and CVE-URL, which I'm outputting as cve_id and cve_url. I have events with a multi-valued field named 'qid'. I'd like to do a lookup on this field and output 2 new multi-valued fields, cve_id and cve_url. However, the lookup is just taking the first value for the 'qid' field and outputting the result from the CSV into cve_id and cve_url.
Here is my lookup command:
lookup qiddb_cve QID AS qid OUTPUTNEW "CVE-ID" AS cve_id "CVE-URL" AS cve_url
I found a similar issue here but it doesn't seem that there's a working solution there.
Has anyone found a way to generate a multi-valued output field from a lookup? I have to think someone's had this problem before, but I'm not finding a way to do it. Thanks!!
... View more