Archive
Highlighted

Refining the search through lookup

Contributor

Hi,

Below is the search I am running on a set of servers in the lookup file , I don't want to run the search on all the hosts resulting from my main search that's why I am using the sub search (using inputlookup)

index=cohl host=mdc* [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host] | where count==0 | table sourcetype host

But when I run the search I see the error :

Regex: invalid UTF-8 string

Can the experts let me know how to get rid of this error?

Tags (1)
0 Karma
Highlighted

Re: Refining the search through lookup

SplunkTrust
SplunkTrust

Do you only want to run your search for host,sourcetype combination in subsearch where the value of field count in the subsearch is greater than 0? If yes then, you should include the where clause inside subsearch. Also, add a table command at the end of subsearch to only return the fields that you want to pass (and which are available in ) in base search.

index=cohl  [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count=0 | table sourcetype host] 
0 Karma
Highlighted

Re: Refining the search through lookup

Contributor

I tried your query but it doesn't work , to test it I placed 'where count >=0' , but it again gave me that error .

index=cohl host=mdc* [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count ==0 | table sourcetype host]

The above query doesn't return anything.

0 Karma
Highlighted

Re: Refining the search through lookup

SplunkTrust
SplunkTrust

Try this

index=cohl  [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format ] 

OR

index=cohl  [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format  "" "" "" "" "" ""] 
0 Karma
Highlighted

Re: Refining the search through lookup

SplunkTrust
SplunkTrust

Have you verified there are no weird characters in your inputlookup table?

0 Karma
Highlighted

Re: Refining the search through lookup

Contributor

No I don't see anything weird in the lookup file. Any way I can remove those characters if any?

0 Karma
Highlighted

Re: Refining the search through lookup

Legend

Splunk expects the lookup files to be in the UTF-8 character set, with normal line endings (Linux or Windows).
Here are the specific requirements from the Configure CSV lookups section of the Knowledge Manager manual. The file must also be in proper CSV format.

Many text editors can find and "zap" weird characters and clean up the line endings in a file. I think Notepad++ may do this, as will BBEdit and others.

0 Karma
Highlighted

Re: Refining the search through lookup

Esteemed Legend

What does this do:

| inputlookup COHL_Sourcetype

Does the above give you the error, too? If so, you definitely need to clean the file.

Also, the search definitely is broken even beyond this error. At a minimum, this | stats count by sourcetype host should be stats count by sourcetype host | table sourcetype host or maybe stats count by sourcetype host | table sourcetype or maybe stats count by sourcetype host | table host.

0 Karma