Archive

How to add multi-values lookups

New Member

My CSV is of the format :
Key1 = Val11 Val12 Val13
Key2 = Val21 Val22 Val23

Is there any way I can use the lookup feature to gather this data in a query ?

Thanks and Regards,
Abhay Dandekar

Tags (1)
0 Karma

Esteemed Legend

You can convert the existing csv to a properly formatted loookup file like this:

| inputcsv OriginalCSV | makemv Key1 | makemv Key2 

At this point, you can put it into a KVStore-based lookup like this:

| outputlookup KVStoreCollection

KVStore-based lookups support multivalued fields but file-based lookups do not. If you must convert to a file-based lookup, then do it like this:

| mvexpand Key1 | mvexpand Key2 | outputlookup FileBasedCSV
0 Karma

SplunkTrust
SplunkTrust

Yes, that is pretty standard. A subsearch can return the lookup values in a format that allows them to be used as part of a search.

Let's suppose that your lookup file lookupfoo.csv has three values (Key1 field1 field2), and that you want to give it a key value "foo1" and then do a search based on the values that are in field1 and field2. Let's suppose this is the file.

Key1 field1 field2 
foo1 bar1   baz1
foo2 bar2   baz2
foo3 bar3   zap3

so, this language here -

index=myindex source=* [| inputlookup lookupfoo.csv | where key1 == "foo1" | table field1 field2]

will get results that are completely the equivalent of this search -

index=myindex source=* field1="bar1" field2="baz1"

For more information, see this page on the format command, which explains both what the normal format that comes back from a subsearch is, and how to change it to meet your needs. (In your case, you don't; need to change it at all.) https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults

0 Karma

Influencer

What do you get when you search for |inputlookup lookup_name ? How do you intend to use those results?

0 Karma

Revered Legend

Could you be more specific on what you want to get in the final output? May be a sample output of what is current and what is expected?

0 Karma

New Member

sure, my lookup CSV file is something like this :
view1 = tag1 tag2 tag3
view2 = tag3 tag4 tag5

I want to search such that, lookup for view1, should provide me with tag1 tag2 tag3, which can be used to search further.

tag1,tag2 ... tag6 are the tags that I have applied via search app.

Let me know if that provided enough info.

Thanks and Regards,
Abhay Dandekar

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!