Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lookups on multivalued fields without mvexpand

pratheep1980
New Member
‎05-08-2019 02:59 AM

The requirement is to get the Decision_type and priority from the csv file by comparing the values of log files.
The log file would have the same column name of lookup file.

I've created a table with the required columns from the log files and the next step is to compare the table value with multi-valued csv files and get the values of 2 columns. Since the csv file has multiple rows and columns with multi-value, makemv & mvexpand occupies the space in splunk (due to some storage constraint).

Search query for sample case_Id: 4157377 :

4157377 "TAT_DECISION" | eval casetime=strftime(_time, "%d-%m-%Y %H:%M:%S") | table casetime REVIEW_TYPE LENGTH_OF_STAY REQUEST_TYPE | sort by casetime desc
alt text
csv file lookup data:
alt text

I would like to know that there is anyway to get the values of required columns from the csv file without using makemv, mvexpand commands.

Preview file
6 KB
Preview file
17 KB
0 Karma
Reply

starcher
Influencer
‎05-09-2019 10:23 AM

csv lookups are not multivalve aware. convert your lookup to kvstore based. it is mv compatible by default.

0 Karma
Reply

pratheep1980
New Member
‎05-08-2019 03:48 AM

The space issue was due to the csv file was expanded and written into other output csv file. I am ok to use the makemv and mvexpand in the query itself, if it returns the value fast.

0 Karma
Reply

dmarling
Builder
‎05-08-2019 07:29 AM

Which field would you be performing the lookup on in the csv? Is it REVIEW_TYPE, LENGTH_OF_STAY, REQUEST_TYPE, or some combination of those? It's possible to do this type of lookup by making your lookup definition point to the csv file with a match type. Here's a link to the documentation on it:

https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Usefieldlookupstoaddinformationtoyourev...

Match type A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching. The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default. Specify the fields that use WILDCARD or CIDR in this list.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...