Solved: What is the fastest way to use a lookup (or match ...

loganramirez · ‎05-22-2023

I have index with json data that represents call data (phone calls), but there is nothing native in the index that represents lists.

Assume, for example, I have a list called "Splunk Legends" and it represents 10 numbers.

Currently if I want to 'count all calls last 30d from Splunk Legends, then I do

index=mydata 
| stats value(*) by guid -- because I'm joining some other interesting information in this index
| lookup mylookup.csv number OUTPUT list
| search list="Splunk Legends"

What I dislike about this, of course, is I have to search the entire index.

Thoughts on a better way to match value against an external data source?

Thank you!

richgalloway · ‎05-22-2023

Try incorporating the lookup into the base search.

index=mydata [ | inputlookup mylookup.csv where list="Splunk Legends" | fields number | format ]
| stats value(*) by guid -- because I'm joining some other interesting information in this index
...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-22-2023

Try incorporating the lookup into the base search.

index=mydata [ | inputlookup mylookup.csv where list="Splunk Legends" | fields number | format ]
| stats value(*) by guid -- because I'm joining some other interesting information in this index
...

---
If this reply helps you, Karma would be appreciated.

loganramirez · ‎05-22-2023

thoughts on the 10k limit using sub searches like this? just ran into that.

loganramirez · ‎05-22-2023

Legend. Thank you!

What is the fastest way to use a lookup (or match records against a secondary source)?

lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!