The requirement is to get the Decision_type and priority from the csv file by comparing the values of log files.
The log file would have the same column name of lookup file.
I've created a table with the required columns from the log files and the next step is to compare the table value with multi-valued csv files and get the values of 2 columns. Since the csv file has multiple rows and columns with multi-value, makemv & mvexpand occupies the space in splunk (due to some storage constraint).
Search query for sample case_Id: 4157377 :
4157377 "TAT_DECISION" | eval casetime=strftime(_time, "%d-%m-%Y %H:%M:%S") | table casetime REVIEW_TYPE LENGTH_OF_STAY REQUEST_TYPE | sort by casetime desc
csv file lookup data:
I would like to know that there is anyway to get the values of required columns from the csv file without using makemv, mvexpand commands.
csv lookups are not multivalve aware. convert your lookup to kvstore based. it is mv compatible by default.
The space issue was due to the csv file was expanded and written into other output csv file. I am ok to use the makemv and mvexpand in the query itself, if it returns the value fast.
Which field would you be performing the lookup on in the csv? Is it REVIEW_TYPE, LENGTH_OF_STAY, REQUEST_TYPE, or some combination of those? It's possible to do this type of lookup by making your lookup definition point to the csv file with a match type. Here's a link to the documentation on it:
Match type A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching. The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default. Specify the fields that use WILDCARD or CIDR in this list.