topic Refining the search through lookup in Splunk Search

Refining the search through lookup

macadminrohit — Mon, 10 Apr 2017 20:40:53 GMT

Hi,

Below is the search I am running on a set of servers in the lookup file , I don't want to run the search on all the hosts resulting from my main search that's why I am using the sub search (using inputlookup)

But when I run the search I see the error :

Regex: invalid UTF-8 string

Can the experts let me know how to get rid of this error?

Re: Refining the search through lookup

somesoni2 — Mon, 10 Apr 2017 20:48:12 GMT

Do you only want to run your search for host,sourcetype combination in subsearch where the value of field count in the subsearch is greater than 0? If yes then, you should include the where clause inside subsearch. Also, add a table command at the end of subsearch to only return the fields that you want to pass (and which are available in ) in base search.

index=cohl  [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count=0 | table sourcetype host]

Re: Refining the search through lookup

macadminrohit — Mon, 10 Apr 2017 21:37:16 GMT

I tried your query but it doesn't work , to test it I placed 'where count >=0' , but it again gave me that error .

The above query doesn't return anything.

Re: Refining the search through lookup

somesoni2 — Mon, 10 Apr 2017 21:41:43 GMT

Try this

index=cohl  [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format ]

index=cohl  [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format  "" "" "" "" "" ""]

Re: Refining the search through lookup

DalJeanis — Mon, 10 Apr 2017 22:16:55 GMT

Have you verified there are no weird characters in your inputlookup table?

Re: Refining the search through lookup

macadminrohit — Tue, 11 Apr 2017 16:19:49 GMT

No I don't see anything weird in the lookup file. Any way I can remove those characters if any?

Re: Refining the search through lookup

lguinn2 — Wed, 12 Apr 2017 07:34:35 GMT

Splunk expects the lookup files to be in the UTF-8 character set, with normal line endings (Linux or Windows).
Here are the specific requirements from the Configure CSV lookups section of the Knowledge Manager manual. The file must also be in proper CSV format.

Many text editors can find and "zap" weird characters and clean up the line endings in a file. I think Notepad++ may do this, as will BBEdit and others.

Re: Refining the search through lookup

woodcock — Sat, 22 Apr 2017 22:42:29 GMT

What does this do:

| inputlookup COHL_Sourcetype

Does the above give you the error, too? If so, you definitely need to clean the file.

Also, the search definitely is broken even beyond this error. At a minimum, this | stats count by sourcetype host should be stats count by sourcetype host | table sourcetype host or maybe stats count by sourcetype host | table sourcetype or maybe stats count by sourcetype host | table host.