https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205379#M59716 <P>Thanks MuS<BR /> I think that is my missing piece.<BR /> This is a Splunk cloud environment, can I make that change in the UI or do I need to pass a transforms.conf to the cloud team?</P> Fri, 05 Aug 2016 01:47:03 GMT proylea 2016-08-05T01:47:03Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205375#M59712 <P>ok, here is my dilemma</P> <P>I have a lookup table like this:</P> <PRE><CODE>_raw,sourcetype,alertMessage,severity *Reloading repositories*,liferay,Reloading repositories,high *RememberMe*,liferay,Remember Me,low </CODE></PRE> <P>When I do a search like this:</P> <PRE><CODE>index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ] </CODE></PRE> <P>I get the correct number of results returned for the 2 strings in _raw in the lookup, so all good.</P> <P>Now I would like to apply the lookup field called alertMessages to the matching _raw events.</P> <P>I thought maybe something like this:</P> <PRE><CODE>index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]| lookup update=true pre-ces-alerts.csv _raw OUTPUT alertMessage </CODE></PRE> <P>but it's doesn't create the field alertMessages</P> <P>If I select sourcetype as the lookup field like this:</P> <PRE><CODE>index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]| lookup update=true pre-ces-alerts.csv sourcetype OUTPUT alertMessage </CODE></PRE> <P>I get the alertMessage as an interesting field but both of the alertMessage strings get applied to every event because their sourcetype is the same.</P> <P>What I suspect is that because my _raw lookup string is not an exact match to the _raw event field (albeit a wild card match) it doesn't apply the alertMessage field.</P> <P>Can anyone tell me what I am missing here?</P> <P>Kind Regards<BR /> Peter</P> Thu, 04 Aug 2016 05:15:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205375#M59712 proylea 2016-08-04T05:15:03Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205376#M59713 <P>Think your missing the format command.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Format">http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Format</A></P> Thu, 04 Aug 2016 08:29:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205376#M59713 teunlaan 2016-08-04T08:29:11Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205377#M59714 <P>Thanks, but I have used the return command specifically because the format command was not returning the result correctly.</P> <P>I am getting the correct number of results returned I am just unable to apply the alertMessage field from the lookup to the corresponding _raw events</P> Fri, 05 Aug 2016 00:59:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205377#M59714 proylea 2016-08-05T00:59:01Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205378#M59715 <P>Hi proylea,</P> <P>your using <CODE>*RememberMe*</CODE> and another wild card field in the lookup; did you configure the lookup to use <CODE>match_type = WILDCARD(fieldname)</CODE> in <CODE>transforms.conf</CODE>? The default for lookups is <CODE>match_type = EXACT</CODE> - see the docs for more details <A href="http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf">http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf</A></P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Fri, 05 Aug 2016 01:26:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205378#M59715 MuS 2016-08-05T01:26:40Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205379#M59716 <P>Thanks MuS<BR /> I think that is my missing piece.<BR /> This is a Splunk cloud environment, can I make that change in the UI or do I need to pass a transforms.conf to the cloud team?</P> Fri, 05 Aug 2016 01:47:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205379#M59716 proylea 2016-08-05T01:47:03Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205380#M59717 <P>No UI access to any <CODE>transforms.conf</CODE> in cloud <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> So, you need to pass it to the cloud ops ...</P> Fri, 05 Aug 2016 02:04:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205380#M59717 MuS 2016-08-05T02:04:46Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205381#M59718 <P>Thanks MuS you're a legend</P> Fri, 05 Aug 2016 02:17:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205381#M59718 proylea 2016-08-05T02:17:00Z https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205382#M59719 <P><EM>blush</EM> thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 05 Aug 2016 03:33:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-a-field-from-a-lookup/m-p/205382#M59719 MuS 2016-08-05T03:33:11Z