topic Re: Why doesn't the Automatic lookup work? in Splunk Search

Why doesn't the Automatic lookup work?

rajneeshc1981 — Fri, 03 Aug 2018 22:39:40 GMT

I have a new lookup setup I want to query against it .presently its not working may I know what I have to do in order to get it setup for auto lookup.

thanks

Re: Why doesn't the Automatic lookup work?

martin_mueller — Sat, 04 Aug 2018 00:24:26 GMT

This covers what to do in oder to setup automatic lookups: http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/DefineanautomaticlookupinSplunkWeb

Re: Why doesn't the Automatic lookup work?

rajneeshc1981 — Sat, 04 Aug 2018 01:06:41 GMT

I read that ,I created four columns for my csv ..and did props and transforms.conf and I want the lookup to be automatically lookup for a field .

but when I do the query in the search I don't get any statistics. why is it ?.

Re: Why doesn't the Automatic lookup work?

DalJeanis — Sat, 04 Aug 2018 01:35:43 GMT

1) Try manually checking the data

| inputlookup mylookup.csv

that should tell you if it's there.

2) Try manually testing a lookup. Assuming the name of the lookup field is foo, and one record in the lookup the field foo has a value of "bar", and there is another column named baz.

| makeresults 
| eval foo = "bar"
| lookup mylookup.csv foo OUTPUT baz

If both of those work, then you have probably set up the lookup itself incorrectly. If one of them fails, then either the definition is wrong, the lookup name is wrong, or the data is wrong.

Re: Why doesn't the Automatic lookup work?

martin_mueller — Sat, 04 Aug 2018 09:50:36 GMT

I've left my crystal ball in storage, sorry - you will need to post more details about what you're doing. For example, post the props.conf and transforms.conf entries you've made. Post what apps you've placed them in, what permissions you've given them, what app you're searching from, what user/role combo you're searching from, etc.

Re: Why doesn't the Automatic lookup work?

rajneeshc1981 — Tue, 29 Sep 2020 20:43:22 GMT

props.
[smptsm_accesslog]
LOOKUP-pn_ip_env = pn_ip_env ip AS ip OUTPUTNEW inbound AS pn_inbound pn AS pn_name variety AS pn_variety

transforms-
[pn_ip_env]

filename = pn_ip_env.csv

csv file has four columns-
ip, inbound,pn,variety.

Re: Why doesn't the Automatic lookup work?

martin_mueller — Sat, 04 Aug 2018 15:28:26 GMT

does the sourcetype smptsm_accesslog have matching ip values?

Re: Why doesn't the Automatic lookup work?

woodcock — Sat, 04 Aug 2018 15:39:34 GMT

Assuming that your event data's field name is foo and the matching lookup field name is bar:

1: Use "|inputlookup YourLookupFileNameHere.csv" to see if your file is searchable from your user/app context.
2: Use "|inputlookup YourLookupFileNameHere.csv | where bar=*" to see if your file has the right field name.
3: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo" to see if your data is searchable from your user/app context.
4: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=*" to see if your data has the right field name.
5: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=* | lookup YourLookupFileNameHere.csv | where bar=*" to test that all this works together.
6: CLONE your existing automatic lookup definition and make sure that, if you are using a sourcetype-based stanza, that the sourcetype listed is *exactly* the "AndSourcetypToo" of your event data.  Upper/lower-case matters.  Why did I have you clone it?  Because that is the only practical way to see if you have accidental whitespace at the beginning or end of your sourcetype string, as can easily happen when doing cut/paste.  You can see it when you clone but not by looking at it on the screen any other practical way (Yes, you could use a "|rest" call but this is way quicker/easier).  I suspect that this is your problem.

Re: Why doesn't the Automatic lookup work?

rajneeshc1981 — Sat, 04 Aug 2018 17:01:58 GMT

| inputlookup mylookup.csv. (works)
index=xyz | inputlookup mylookup.csv. ( doesn't work. )

Re: Why doesn't the Automatic lookup work?

woodcock — Sat, 04 Aug 2018 18:40:35 GMT

There are 2 lookup-ish commands: inputlookup and lookup. You are confusing the two. Read my post again.

Re: Why doesn't the Automatic lookup work?

rajneeshc1981 — Mon, 06 Aug 2018 00:36:40 GMT

how do I check auto lookup is working ?.

Re: Why doesn't the Automatic lookup work?

youngsuh — Wed, 18 Mar 2020 13:12:21 GMT

@DalJeanis when you say "If both of those work, then you have probably set up the lookup itself incorrectly." did you mean you have set up the look correctly? Both of my query work.

| inputlookup q-compliance_system_asset_mapping  (working)


| eval foo = "bar" | lookup q-compliance_system_asset_mapping dns AS dest OUTPUT system AS system  (working)

But, it's not working on pivot. do you have any suggestion on how to troubleshoot?

Re: Why doesn't the Automatic lookup work?

gordo32 — Thu, 25 May 2023 19:37:16 GMT

There is actually one more possible issue - when using a remote Indexer. You need to enable replication of KVStore lookups by added to <app>/local/collections.conf:

[<automatic_lookup_name>_kvstore]
replicate = true