My CSV is of the format :
Key1 = Val11 Val12 Val13
Key2 = Val21 Val22 Val23
Is there any way I can use the lookup feature to gather this data in a query ?
Thanks and Regards,
You can convert the existing csv to a properly formatted loookup file like this:
| inputcsv OriginalCSV | makemv Key1 | makemv Key2
At this point, you can put it into a KVStore-based lookup like this:
| outputlookup KVStoreCollection
KVStore-based lookups support
multivalued fields but file-based lookups do not. If you must convert to a file-based lookup, then do it like this:
| mvexpand Key1 | mvexpand Key2 | outputlookup FileBasedCSV
Yes, that is pretty standard. A subsearch can return the lookup values in a format that allows them to be used as part of a search.
Let's suppose that your lookup file lookupfoo.csv has three values (Key1 field1 field2), and that you want to give it a key value "foo1" and then do a search based on the values that are in field1 and field2. Let's suppose this is the file.
Key1 field1 field2 foo1 bar1 baz1 foo2 bar2 baz2 foo3 bar3 zap3
so, this language here -
index=myindex source=* [| inputlookup lookupfoo.csv | where key1 == "foo1" | table field1 field2]
will get results that are completely the equivalent of this search -
index=myindex source=* field1="bar1" field2="baz1"
For more information, see this page on the format command, which explains both what the normal format that comes back from a subsearch is, and how to change it to meet your needs. (In your case, you don't; need to change it at all.) https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults
sure, my lookup CSV file is something like this :
view1 = tag1 tag2 tag3
view2 = tag3 tag4 tag5
I want to search such that, lookup for view1, should provide me with tag1 tag2 tag3, which can be used to search further.
tag1,tag2 ... tag6 are the tags that I have applied via search app.
Let me know if that provided enough info.
Thanks and Regards,