Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookups on multivalued fields without mvexpand

pratheep1980
New Member
‎05-08-2019 02:59 AM

The requirement is to get the Decision_type and priority from the csv file by comparing the values of log files.
The log file would have the same column name of lookup file.

I've created a table with the required columns from the log files and the next step is to compare the table value with multi-valued csv files and get the values of 2 columns. Since the csv file has multiple rows and columns with multi-value, makemv & mvexpand occupies the space in splunk (due to some storage constraint).

Search query for sample case_Id: 4157377 :

4157377 "TAT_DECISION" | eval casetime=strftime(_time, "%d-%m-%Y %H:%M:%S") | table casetime REVIEW_TYPE LENGTH_OF_STAY REQUEST_TYPE | sort by casetime desc
alt text
csv file lookup data:
alt text

I would like to know that there is anyway to get the values of required columns from the csv file without using makemv, mvexpand commands.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

starcher
Influencer
‎05-09-2019 10:23 AM

csv lookups are not multivalve aware. convert your lookup to kvstore based. it is mv compatible by default.

0 Karma
Reply

pratheep1980
New Member
‎05-08-2019 03:48 AM

The space issue was due to the csv file was expanded and written into other output csv file. I am ok to use the makemv and mvexpand in the query itself, if it returns the value fast.

0 Karma
Reply

dmarling
Builder
‎05-08-2019 07:29 AM

Which field would you be performing the lookup on in the csv? Is it REVIEW_TYPE, LENGTH_OF_STAY, REQUEST_TYPE, or some combination of those? It's possible to do this type of lookup by making your lookup definition point to the csv file with a match type. Here's a link to the documentation on it:

https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Usefieldlookupstoaddinformationtoyourev...

Match type A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching. The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default. Specify the fields that use WILDCARD or CIDR in this list.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...