topic Lookup tables and multiple fields values in Splunk Search

Lookup tables and multiple fields values

jaydiare — Fri, 08 Oct 2021 15:44:12 GMT

I need help to use the values from a lookup table into multiple fields, where the output from the lookup table is a list of values.

The value from the table will be populated in a_ims, b_ims, c_ims... instead of "*"

I tried this query below and some other variations but none of them worked.

index=* sourcetype=v_main (a_imsi=* OR b_imsi=* OR c_imsi=* OR d_imsi=* OR Imsi=*)

| lookup ADHOC.csv Comment OUTPUT Imsi

| eval IMSI=mvappend(a_imsi,b_imsi,c_imsi,d_imsi,Imsi)

| mvexpand IMSI

| bin span=1d _time

| stats sum(TCDuration) as TCDuration by _time IMSI

| eval TCDuration=TCDuration/1000

| eval Utilization=round(((TCDuration/86400)*100),1)

| eval Utilization=if(Utilization >100, 100, Utilization)

| fields - TCDuration

| timechart eval(round(avg(Utilization),1)) by IMSI limit=0

Any ideas will be really helpful

thanks so much

Re: Lookup tables and multiple fields values

richgalloway — Fri, 08 Oct 2021 16:50:43 GMT

"none of them worked" is not a helpful problem statement. Please describe the desired results and show the actual results. It would help to know what the the lookup file looks like, also.

Re: Lookup tables and multiple fields values

jaydiare — Fri, 08 Oct 2021 17:30:17 GMT

for example adding the values

index=* sourcetype IN (*) (

a_imsi IN (1 2 3 4 5 6)

OR b_imsi IN (1 2 3 4 5 6)

OR c_imsi IN (1 2 3 4 5 6)

OR d_imsi IN (1 2 3 4 5 6) )

| eval IMSI=mvappend(a_imsi,b_imsi,c_imsi,d_imsi)