Splunk ITSI

Lookups on multivalued fields without mvexpand

pratheep1980
New Member

The requirement is to get the Decision_type and priority from the csv file by comparing the values of log files.
The log file would have the same column name of lookup file.

I've created a table with the required columns from the log files and the next step is to compare the table value with multi-valued csv files and get the values of 2 columns. Since the csv file has multiple rows and columns with multi-value, makemv & mvexpand occupies the space in splunk (due to some storage constraint).

Search query for sample case_Id: 4157377 :

4157377 "TAT_DECISION" | eval casetime=strftime(_time, "%d-%m-%Y %H:%M:%S") | table casetime REVIEW_TYPE LENGTH_OF_STAY REQUEST_TYPE | sort by casetime desc
alt text
csv file lookup data:
alt text

I would like to know that there is anyway to get the values of required columns from the csv file without using makemv, mvexpand commands.

0 Karma

starcher
Influencer

csv lookups are not multivalve aware. convert your lookup to kvstore based. it is mv compatible by default.

0 Karma

pratheep1980
New Member

The space issue was due to the csv file was expanded and written into other output csv file. I am ok to use the makemv and mvexpand in the query itself, if it returns the value fast.

0 Karma

dmarling
Builder

Which field would you be performing the lookup on in the csv? Is it REVIEW_TYPE, LENGTH_OF_STAY, REQUEST_TYPE, or some combination of those? It's possible to do this type of lookup by making your lookup definition point to the csv file with a match type. Here's a link to the documentation on it:

https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Usefieldlookupstoaddinformationtoyourev...

Match type A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching. The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default. Specify the fields that use WILDCARD or CIDR in this list.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...