topic lookup is not working in Splunk Search

lookup is not working

shreyasathavale — Tue, 29 Sep 2020 11:18:19 GMT

I am doing it using GUI as i dont have server access.
I have lookup file serverrole.csv
host,role,environment
A,X,prod

Lookup file is located :/splunk/etc/apps/mysearch /lookups/serverroles.csv
Lookup definition is created : serverrole_lookup in supported fields it shows : host,role,environment
Automatic lookup : serverrole_lookup host AS host OUTPUT environment AS env host AS host role AS role for sourcetype: perfmon:processor

When I do search as : |inputllookup serverrole.csv it shows lookup file contents.

But when I do search as : sourcetype=perfmon:processor | lookup serverroles.csv host,role OUTPUT host,role I am not getting role, environment fields in "Intresting fields" or "Selected fields" or in "Events"..

I want search to work if i search : sourcetype=perfmon:processor| where role=X

Re: lookup is not working

govindsinghrawa — Tue, 29 Sep 2020 11:18:21 GMT

If your Lookup definition is "serverrole_lookup" then you should use as follows:
*** base search | lookup serverrole_lookup host as host1 OUTPUT environment as env, role as myRole***

where

host field is in lookup table whereas host1 is an extracted field
environment is in lookup table whereas env is random name you choose for field to show up as interesting field
role is in lookup table whereas myRole is random name you choose for field to show up as interesting field

In case of automatic lookup defined (if done correctly) you can use the output fields (environment and role) directly like:
*** base search | stats count by environment, role****

Re: lookup is not working

shreyasathavale — Thu, 06 Oct 2016 07:36:54 GMT

Thanks for reply..Using 1st I am getting results but I am not able to see env and role in my fields.. Any thoughts?

Re: lookup is not working

govindsinghrawa — Thu, 06 Oct 2016 07:51:39 GMT

interesting fields by default will come if they span 20% event coverage.
Click at All fields (just top right to Selected fields). which opens the field selector and checkbox the fields specifically as all fields should be present there.

Up vote if u think it works. 🙂

Re: lookup is not working

shreyasathavale — Thu, 06 Oct 2016 08:00:14 GMT

Done, but still unable to find them.. If they are not in events will they not show up?? How to add them in events?

Re: lookup is not working

govindsinghrawa — Thu, 06 Oct 2016 08:12:03 GMT

Firstly if the events don't have the data u r looking for then why will the fields show up, as if it were to be then by that logic all the fields which are in "search x" should show up in "search y" as "search y" doesn't have any event from "search x" and yet is supposed to show them.

In short no event data, so no fields for that data.