- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- How to add multi-values lookups
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add multi-values lookups
My CSV is of the format :
Key1 = Val11 Val12 Val13
Key2 = Val21 Val22 Val23
Is there any way I can use the lookup feature to gather this data in a query ?
Thanks and Regards,
Abhay Dandekar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can convert the existing csv to a properly formatted loookup file like this:
| inputcsv OriginalCSV | makemv Key1 | makemv Key2
At this point, you can put it into a KVStore-based lookup like this:
| outputlookup KVStoreCollection
KVStore-based lookups support multivalued fields but file-based lookups do not. If you must convert to a file-based lookup, then do it like this:
| mvexpand Key1 | mvexpand Key2 | outputlookup FileBasedCSV
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that is pretty standard. A subsearch can return the lookup values in a format that allows them to be used as part of a search.
Let's suppose that your lookup file lookupfoo.csv has three values (Key1 field1 field2), and that you want to give it a key value "foo1" and then do a search based on the values that are in field1 and field2. Let's suppose this is the file.
Key1 field1 field2
foo1 bar1 baz1
foo2 bar2 baz2
foo3 bar3 zap3
so, this language here -
index=myindex source=* [| inputlookup lookupfoo.csv | where key1 == "foo1" | table field1 field2]
will get results that are completely the equivalent of this search -
index=myindex source=* field1="bar1" field2="baz1"
For more information, see this page on the format command, which explains both what the normal format that comes back from a subsearch is, and how to change it to meet your needs. (In your case, you don't; need to change it at all.) https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/Changetheformatofsubsearchresults
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you get when you search for |inputlookup lookup_name ? How do you intend to use those results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you be more specific on what you want to get in the final output? May be a sample output of what is current and what is expected?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sure, my lookup CSV file is something like this :
view1 = tag1 tag2 tag3
view2 = tag3 tag4 tag5
I want to search such that, lookup for view1, should provide me with tag1 tag2 tag3, which can be used to search further.
tag1,tag2 ... tag6 are the tags that I have applied via search app.
Let me know if that provided enough info.
Thanks and Regards,
Abhay Dandekar
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
