topic Re: How to add multi-values lookups in Splunk Dev

How to add multi-values lookups

dandekarabhay — Mon, 20 Feb 2017 15:10:57 GMT

My CSV is of the format :
Key1 = Val11 Val12 Val13
Key2 = Val21 Val22 Val23

Is there any way I can use the lookup feature to gather this data in a query ?

Thanks and Regards,
Abhay Dandekar

Re: How to add multi-values lookups

somesoni2 — Mon, 20 Feb 2017 15:37:13 GMT

Could you be more specific on what you want to get in the final output? May be a sample output of what is current and what is expected?

Re: How to add multi-values lookups

pradeepkumarg — Mon, 20 Feb 2017 15:38:12 GMT

What do you get when you search for |inputlookup lookup_name ? How do you intend to use those results?

Re: How to add multi-values lookups

dandekarabhay — Mon, 20 Feb 2017 17:19:24 GMT

sure, my lookup CSV file is something like this :
view1 = tag1 tag2 tag3
view2 = tag3 tag4 tag5

I want to search such that, lookup for view1, should provide me with tag1 tag2 tag3, which can be used to search further.

tag1,tag2 ... tag6 are the tags that I have applied via search app.

Let me know if that provided enough info.

Thanks and Regards,
Abhay Dandekar

Re: How to add multi-values lookups

DalJeanis — Mon, 20 Feb 2017 17:55:52 GMT

Yes, that is pretty standard. A subsearch can return the lookup values in a format that allows them to be used as part of a search.

Let's suppose that your lookup file lookupfoo.csv has three values (Key1 field1 field2), and that you want to give it a key value "foo1" and then do a search based on the values that are in field1 and field2. Let's suppose this is the file.

Key1 field1 field2 
foo1 bar1   baz1
foo2 bar2   baz2
foo3 bar3   zap3

so, this language here -

index=myindex source=* [| inputlookup lookupfoo.csv | where key1 == "foo1" | table field1 field2]

will get results that are completely the equivalent of this search -

index=myindex source=* field1="bar1" field2="baz1"

For more information, see this page on the format command, which explains both what the normal format that comes back from a subsearch is, and how to change it to meet your needs. (In your case, you don't; need to change it at all.) https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults

Re: How to add multi-values lookups

woodcock — Mon, 20 Feb 2017 17:56:05 GMT

You can convert the existing csv to a properly formatted loookup file like this:

| inputcsv OriginalCSV | makemv Key1 | makemv Key2

At this point, you can put it into a KVStore-based lookup like this:

| outputlookup KVStoreCollection

KVStore-based lookups support multivalued fields but file-based lookups do not. If you must convert to a file-based lookup, then do it like this:

| mvexpand Key1 | mvexpand Key2 | outputlookup FileBasedCSV