topic Re: Edit an Automatic Lookup in Splunk Search

Edit an Automatic Lookup

zschmid — Fri, 11 Feb 2011 05:26:17 GMT

I have an automatic lookup in which i need to rename one of the lookup fields.

Right now whenever a search runs that has source="wsus" the automatic lookup correlates the hostname from the event with the hostname in the lookup file and adds both a business and sub_business field to the event. I need to rename the business field to "newbusiness", however in doing so, it seems as if the old automatic lookup field names are actually part of the event.

I was under the assumption that automatic lookups run at search time. Am I mistaken? Even after completely deleting the automatic lookup both the business, and sub_business fieldS still appear in the events, and if I try to rename the business field to newbusiness in the automatic lookup , when I run a search for source="wsus" it still returns only business and sub_business.

Any suggestions? Am I overlooking something? Your help is much appreciated.

Thanks!

Re: Edit an Automatic Lookup

gkanapathy — Fri, 11 Feb 2011 05:31:32 GMT

Lookups only run at search time, so if the fields are getting looked up and added to the event, it seems like there's some configuration problem, perhaps in a different app or a private user context.

Note that a lookup can be configured to output the field names differently from what's in the file, e.g.:

LOOKUP-1 = mylookup infield1 OUTPUT filefieldname AS displayfieldname file2 AS displayfield2

Re: Edit an Automatic Lookup

zschmid — Fri, 11 Feb 2011 05:52:58 GMT

Thanks for your quick response. Do have any suggestions where to begin troubleshooting a configuration issue?
I understand that I can rename the output field names differently than what is in the file, however this doesnt really seem to be the issue. Regardless of what I put only the original field names appear.

I should also note that this is source="wsus" is in a summary index, but I figured that shouldn't make a difference.

Re: Edit an Automatic Lookup

David — Mon, 28 Sep 2020 09:24:36 GMT

When troubleshooting configuration changes that don't seem to apply, I'm a big fan of frequent restarts and (on linux) "cd /opt/splunk/etc && grep -R sub_business" or (on windows) "cd c:\Program Files\Splunk\etc && findstr /snip sub_business ."

Re: Edit an Automatic Lookup

gkanapathy — Fri, 11 Feb 2011 08:02:18 GMT

Oh yeah, have you restarted? Also, do you happen to have a distributed environment, or just a single server?

Re: Edit an Automatic Lookup

zschmid — Fri, 11 Feb 2011 21:31:42 GMT

Thanks. I've restarted a few times but nothing seem to took. Gkanapathy - to answer your question, yes this is running in a distributed environment.

Re: Edit an Automatic Lookup

zschmid — Fri, 11 Feb 2011 22:03:15 GMT

A few more findings. After doing some investigating I've realized i'm actually running the automatic lookup on sourcetype (not source), which means it's running the lookup on the scheduled searches prior to inserting them into the summary index. That explains the stored fields.

However my question remains, Can you run an automatic lookup on a summary index? I've created a new automatic lookup with source=wsus but when i run it on the summary index, no fields are added to the events.

Re: Edit an Automatic Lookup

gkanapathy — Sat, 12 Feb 2011 02:00:45 GMT

I guess you could run a lookup on a summary index, but the "source" is the name of the job that inserted the data, and that's probably what you need to base it on.

Re: Edit an Automatic Lookup

zschmid — Sat, 12 Feb 2011 04:02:59 GMT

I'll continue to poke around and see if I find anything. Just to confirm the job name is indeed WSUS and it's displaying as source=wsus (and returning) events in the summary index

Re: Edit an Automatic Lookup

gkanapathy — Sat, 12 Feb 2011 04:04:48 GMT

Uh, and are you generating the summary using stats or sistats (or another si command)?

Re: Edit an Automatic Lookup

zschmid — Sat, 12 Feb 2011 04:33:07 GMT

We're actually just using the | table field1, field2, field3, field4 to dump those records into the summary

Re: Edit an Automatic Lookup

zschmid — Wed, 16 Feb 2011 04:15:49 GMT

I figured out the solution to this problem.

When defining a source in an automatic lookup they are case sensitive. WSUS != wsus. I defined my automatic lookup to look for source=wsus when all my events were tagged with source=WSUS .

Somewhat of a minor annoyance and was a litle more of a headache to figure out than I would have liked.

I wish there was a little more consistency in the way that Splunk handles case sensitivity and this is a perfect example.

If from a splunk search I can search for sourec=wsus and it'll return something that is defined as source=WSUS, shouldn't the same logic apply to an automatic lookup?

Again, minor annoyance but hopefully this saves someone some time if you run into the same problem.

Thanks!

Re: Edit an Automatic Lookup

twinspop — Fri, 24 May 2013 15:21:30 GMT

Wow, thanks for this tip. That sure sounds like a bug, but this answer is 2 years old and this behavior is still present in 5.0.2. 😞