Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where did I go wrong with my inputlookup search?

mafruma
Explorer
‎01-13-2016 01:57 PM

Hello all.

I have not been able to populate a table via a search that uses inputlookup. My table is only populating with the data from the events. Where did I go wrong?

My search:

sourcetype=integration.wmb.event SAPTransactionID 
| append  [ |inputlookup idocsDec.csv | fields + CREDAT,CRETIM,hour,minute,STATUS,TID | rename TID as SAPTransactionID]
| transaction SAPTransactionID
| table SAPTransactionID CREDAT CRETIM hour minute STATUS

The only data that gets populated in the table is the SAPTransactionID. All of the other fields that I want to pull data from the csv are empty.

0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2016 02:32 PM

The transaction command requires field _time to be present (to calculate duration) which seems to be missing from your Inputlookup data. If available, create a field _time in the subsearch with inputlookup and try again.

If you're only looking to group events based on SAPTransactionId, consider using stats command which is more efficient.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...