Splunk IT Service Intelligence

Lookups on multivalued fields without mvexpand

pratheep1980
New Member

The requirement is to get the Decision_type and priority from the csv file by comparing the values of log files.
The log file would have the same column name of lookup file.

I've created a table with the required columns from the log files and the next step is to compare the table value with multi-valued csv files and get the values of 2 columns. Since the csv file has multiple rows and columns with multi-value, makemv & mvexpand occupies the space in splunk (due to some storage constraint).

Search query for sample case_Id: 4157377 :

4157377 "TAT_DECISION" | eval casetime=strftime(_time, "%d-%m-%Y %H:%M:%S") | table casetime REVIEW_TYPE LENGTH_OF_STAY REQUEST_TYPE | sort by casetime desc
alt text
csv file lookup data:
alt text

I would like to know that there is anyway to get the values of required columns from the csv file without using makemv, mvexpand commands.

0 Karma

starcher
SplunkTrust
SplunkTrust

csv lookups are not multivalve aware. convert your lookup to kvstore based. it is mv compatible by default.

0 Karma

pratheep1980
New Member

The space issue was due to the csv file was expanded and written into other output csv file. I am ok to use the makemv and mvexpand in the query itself, if it returns the value fast.

0 Karma

dmarling
Builder

Which field would you be performing the lookup on in the csv? Is it REVIEW_TYPE, LENGTH_OF_STAY, REQUEST_TYPE, or some combination of those? It's possible to do this type of lookup by making your lookup definition point to the csv file with a match type. Here's a link to the documentation on it:

https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Usefieldlookupstoaddinformationtoyourev...

Match type A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching. The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default. Specify the fields that use WILDCARD or CIDR in this list.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...