You can use the stats command to create fields without event data. Building on that, you can pack structured data into a single field and then leverage split, mvexpand, etc to unpack the data into rows and columns and output results to lookup.
| stats count as field1
| eval field1="host1,54426859;host2,37203728;host3,96588101"
| eval field1=split(field1,";")
| mvexpand field1
| rex field=field1 "(?<host>.*),(?<serial>.*)"
| table host serial | outputlookup hostserials.csv
See below for a Powershell code snippet which transforms CSV into lookup table generating SPL, which is then passed to a function which implements the standard REST endpoint for searching. (https://${server}:${port}/services/search/jobs/export")
$server = "your-server-here"
$port = "8089"
$username = "admin"
$sourcefile = "C:\Development\SplunkCSVtoLookupOverREST\hostserials.csv"
$content = Import-Csv $sourcefile
$flattext = Out-Null
foreach ($item in $content) {
$thisEntry = "$($item.host),$($item.serial)"
if ($flattext -eq $null) { $flattext = $thisEntry } else { $flattext += ";$($thisEntry)" }
}
if (!($cred)) { $cred = Get-Credential -Message "enter splunk cred" -UserName $username }
$thesearch = " | stats count as field1
| eval field1=`"${flattext}`"
| eval field1=split(field1,`";`")
| mvexpand field1
| rex field=field1 `"(?<host>.*),(?<serial>.*)`"
| table host serial | outputlookup hostserials.csv"
write-host $thesearch
get-search-results -cred $cred -server $server -port $port -search $thesearch
This technique was successful in creating a 100,000 record lookup table.
... View more