topic New lookup is not working in Splunk Search

New lookup is not working

gustavoortega — Tue, 06 Jul 2021 18:50:46 GMT

Hi team,

I already worked with the lookup feature of splunk, tables, definitions and automatic lookup, and is working correctly even though I create a script to use the inputlook command to automatically update the lookup table when it is needed.

The csv file of the lookup table have the following structure:

appid,appName APP01729-af-ws.service,APP01729 APP01729-af-sch.service,APP01729 APP01729-af-wkr.service,APP01729

The idea with this lookup is to match the appid with one of the attributes that splunk have from a seach and then add the value of appName in the result of that search, for example:

appid will match the values of systemd_unit
with that match in that search will add the attribute appname with the value of appName of the lookup table

That behavior is working with the values above, but when I try to create another lookup table and his definition with different values but matching the same attributes in splunk is not creating the new attribute in the search. I test that with this search:

index=main_dev ... | spath systemd_unit | search systemd_unit="*container*" | lookup appids_lookup appid as systemd_unit OUTPUTNEW appName

Here the systemd_unit that try to match is everything that have 'container' in his name and then create a new attribute called appName with the value corresponding to the value of appName in the lookup table

That doesn't work because the search for container and the corresponding lookup value in the lookup table is new.

But the old values of the lookup table, I mean old values with values from other lookup tables that I use in the new lookup table it works correctly, creating the new attribute in the seach.

My problem is do I need something else to do more than creating the lookup table, definition to make this works for new values?

Re: New lookup is not working

venkatasri — Wed, 07 Jul 2021 00:09:47 GMT

Hi @gustavoortega have you tried finding the new lookup table with | inputlookup command?

Can you share the new lookup table contents and does your search events having field/value that matches with lookup field?

When you created new lookup what is the scope of app? are you running the query in same app or outside?

what is the new search query that you have used?

Re: New lookup is not working

gustavoortega — Wed, 07 Jul 2021 13:35:57 GMT

Hi, @venkatasri Yes the command and the output of the | inputlookup is the next:

This is the lookup table and the search to generate it

Yes, I'm running the lookup in the same scope and in the same app
This is the lookup definition

And this is the lookup table

And this is the new search that I'm using

As you can see I try t match the values of appid in the lookup table to systemd_unit in the search, and the values are matching for containerd.service but the new value that should show in appName doesn't show

But if I change the search a little to include another value, not just containerd it works correctly, but only shows the other value.

I think this other value is correctly retrieved because is a value that exists for the other lookups that works correctly