Lookup tables and multiple fields values

jaydiare · ‎10-08-2021

I need help to use the values from a lookup table into multiple fields, where the output from the lookup table is a list of values.

The value from the table will be populated in a_ims, b_ims, c_ims... instead of "*"

I tried this query below and some other variations but none of them worked.

index=* sourcetype=v_main (a_imsi=* OR b_imsi=* OR c_imsi=* OR d_imsi=* OR Imsi=*)

| lookup ADHOC.csv Comment OUTPUT Imsi

| eval IMSI=mvappend(a_imsi,b_imsi,c_imsi,d_imsi,Imsi)

| mvexpand IMSI

| bin span=1d _time

| stats sum(TCDuration) as TCDuration by _time IMSI

| eval TCDuration=TCDuration/1000

| eval Utilization=round(((TCDuration/86400)*100),1)

| eval Utilization=if(Utilization >100, 100, Utilization)

| fields - TCDuration

| timechart eval(round(avg(Utilization),1)) by IMSI limit=0

Any ideas will be really helpful

thanks so much

richgalloway · ‎10-08-2021

"none of them worked" is not a helpful problem statement. Please describe the desired results and show the actual results. It would help to know what the the lookup file looks like, also.

---
If this reply helps you, Karma would be appreciated.

jaydiare · ‎10-08-2021

for example adding the values

index=* sourcetype IN (*) (

a_imsi IN (1 2 3 4 5 6)

OR b_imsi IN (1 2 3 4 5 6)

OR c_imsi IN (1 2 3 4 5 6)

OR d_imsi IN (1 2 3 4 5 6) )

| eval IMSI=mvappend(a_imsi,b_imsi,c_imsi,d_imsi)

| mvexpand IMSI

| bin span=1d _time

| stats sum(TCDuration) as TCDuration by _time IMSI

| eval TCDuration=TCDuration/1000

| eval Utilization=round(((TCDuration/86400)*100),1)

| eval Utilization=if(Utilization >100, 100, Utilization)

| fields - TCDuration

| timechart eval(round(avg(Utilization),1)) by IMSI limit=0

Lookup tables and multiple fields values

eval

fields

lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!