Solved: How to lookup against a csv file and join data wit...

axdahl · ‎08-06-2014

I have a lookup file that is basically the following:

userid,group
1,g1
1,g2
1,g3
2,g3
2,g1

I want to do a lookup against this table and return a multivalue field for each event.

i.e. post lookup, if I do table userid, group, I should see:

userid   group
------------------------
1        g1
         g2
         g3
------------------------
2        g1
         g3
------------------------

Basically the lookup should return all matches as a multivalue field. Right now if I'm using

.... | join max=0 userid [inputlookup testgroup.csv ] | table userId group...

But what happens is that each event just gets a single value (g1, g2 or g3) returned for group instead of a multivalued field that contains all matches.

strive · ‎08-06-2014

Try this

.... | join max=0 userid [|inputlookup testgroup.csv ] | stats values(group) as group by userid

View solution in original post

strive · ‎08-06-2014

Try this

.... | join max=0 userid [|inputlookup testgroup.csv ] | stats values(group) as group by userid

axdahl · ‎08-07-2014

that was it!, thanks.

How to lookup against a csv file and join data with a multi-value field?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to lookup against a csv file and join data with a multi-value field?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits