I’m trying to troubleshoot my use of “inputlookup”.
First I verify the following search works:
It returns 2 records as expected.
I then create the inputlookup file
with only 2 lines (w/o the space between them):
I then try this search:
index=ca [inputlookup AccountNames.csv | fields + cert_RN]
I get the following error:
[subsearch]: Lookup file 'C:\Program Files\Splunk\etc\apps\search\lookups\AccountNames.csv' may use mac-style line endings, which are unsupported.
I'm guessing you are editing this csv file on an MS OS, which editor are you using?.. Have you tried using wordpad/notepad to create your csv file? (Make sure that you save the file with the encoding utf-8 (I'm sure it doesn't matter with lookups, but Splunk prefers utf-8))..
However, I think your main issue is that your csv file only has one column (in the documentation, it mentions this and the utf-8 formatting). When I produce a csv which only has one column, I will typically produce a referencing column (which I normally call "match"), of which all the values in subsequent rows are "1"... e.g.. for your example...
match,cert_RN 1,Retail\S0002K02$ 1,Retail\S1234A12$
n.b. the last line is added for effect
Then when you try the following search (with nothing before the "pipe")...
| inputlookup AccountNames.csv
Do you see the contents of the file?
After you have verified you results you could do a lookup on the match column outputting the field desired (note: you will need to include an "
|eval match=1|" before doing the input lookup.
Hope this helps,
Thank you MHibbin.
After adding the match column and saving as UTF-8, I do indeed get results from this search
But this search yeilds no results:
index=ca [inputlookup AcctNames.csv |eval match=1|fields cert_RN]
MHibbin, My mistake. Your suggestions worked perfectly. My input file was at fault. Once I replaced my doulde-backslash with a single baclslash, everything fell into place