How to lookup against a csv file and join data with a multi-value field?

axdahl — Wed, 06 Aug 2014 21:35:58 GMT

I have a lookup file that is basically the following:

userid,group
1,g1
1,g2
1,g3
2,g3
2,g1

I want to do a lookup against this table and return a multivalue field for each event.

i.e. post lookup, if I do table userid, group, I should see:

userid   group
------------------------
1        g1
         g2
         g3
------------------------
2        g1
         g3
------------------------

Basically the lookup should return all matches as a multivalue field. Right now if I'm using

.... | join max=0 userid [inputlookup testgroup.csv ] | table userId group...

But what happens is that each event just gets a single value (g1, g2 or g3) returned for group instead of a multivalued field that contains all matches.

Re: How to lookup against a csv file and join data with a multi-value field?

strive — Thu, 07 Aug 2014 03:48:00 GMT

Try this

.... | join max=0 userid [|inputlookup testgroup.csv ] | stats values(group) as group by userid

Re: How to lookup against a csv file and join data with a multi-value field?

axdahl — Thu, 07 Aug 2014 22:47:03 GMT

that was it!, thanks.

topic Re: How to lookup against a csv file and join data with a multi-value field? in Splunk Search

How to lookup against a csv file and join data with a multi-value field?

Re: How to lookup against a csv file and join data with a multi-value field?

Re: How to lookup against a csv file and join data with a multi-value field?