Other Usage

Lookup definitions are not possible.

NC_AS
Explorer

Please tell me about the lookup operation.

1. when you register a new lookup table file (CSV) from the GUI, you can immediately refer to it on the search screen. 

 

| inputlookup “lookup.csv”

 

However, it does not appear in the list of files in the “Lookup File” pull-down on the next Create New Lookup Definition screen. It takes time to set up because it appears after more than one day each time.
Is this due to a limitation caused by the specifications?
If you know the cause, please let us know. 

 

2. no lookup
The following CSV file is registered, and lookup definitions and automatic definitions are also set.
【lookup.csv】

 

PC_Name | Status | MacAddr1 | MacAddr2
------------------------------------------------------------
PC_Name1 | Used | aa:bb:cc... | zz:yy:xx...
PC_Name2 | Used | aa:bb:cc... | zz:yy:xx...
PC_Name3 | Used | aa:bb:cc... | zz:yy:xx...

 

*MacAddr1 and MacAddr2 by Ethernet and WiFi Address, I want to refer to MacAddr2 as a key.

The following fields are output in the target index log
CL_MacAddr as defined in the calculated field

I would like to reference the Mac address of this CL_MacAddr from lookup.csv and output PC_Name and Status as fields, but it is not working.

For example, when I enter the following in the search screen, only the existing fields appear, not PC_Name, Status, etc.


index=“nc-wlx402” sourcetype=“NC-WIFI-3” | lookup “lookup.csv” MACAddr2 AS CL_MacAddr OutputNew

 

However, another lookup definition is available for the same index and source type (automatic definition setting, confirmed operation).
I'm assuming this is due to something basic...

please help me

0 Karma
1 Solution

NC_AS
Explorer

@gcusello 

ルックアップ定義で大文字と小文字の区別のフラグを解除しましたか?


Did you unflagged the case sensitivity in the lookup definition?


The cause was here!
Resolved!

Thank you very much for your help.
Thanks for your help.

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @NC_AS,

how did you create your lookup: using the Splunk App for Lookup Editing or by GUI [Settings > Lookups >Lookp File]?

if the second case, which are the permissions of your lookup? usualy they are Global.

At  least, after few minuts, can you see the lookup in the dropdown list in the lookup Definition? I usually don't need any time to see the lookups in this dropdown list.

Then, use OUTPUT or OUTPUTNES when you want to define the fields to add to your search, or don't use use it, in other words, don't use empty OUTPUTNEW as you did.

Last thing, the error you described, is when you asked a wrong lookup field: check the field name  you used remembering that field names are case sensitive.

Ciao.

Giuseppe

0 Karma

NC_AS
Explorer

Thanks for the reply. @gcusello 

I was setting up lookups from the GUI, from Setting>Lookup, uploading lookup files, defining them, and setting up automatic lookups (now only automatic lookups are unset).

Setting the permissions to global did not solve the problem.

Also, when I entered the following in the search screen, the records associated with the value of value could be displayed in the results.

| makeresults count=1 | eval value=“cc:00:00:ab:cd:99” | lookup “240520_Macaddr_glpi.csv” MACAddr1 AS value

But also in the search screen

index=“nc” | lookup “240520_Macaddr_glpi.csv” MACAddr1 AS CL_MacAddr
Or
index=“nc” | lookup “240520_Macaddr_glpi.csv” MACAddr1
I could not find any PC_Name or Status in the fields. The result is the same as a search without the lookup function.
CL_MacAddr is a field with already defined MacAdress.

Can you think of any other possible causes?

 

★| makeresults count=1 | eval value="cc:00:00:ab:cd:99" | lookup "240520_Macaddr_glpi.csv" MACAddr1 AS value result

NC_AS_0-1716530360305.png

It would be nice if they would also show PC_Name, etc. from the log MacAdress like this...

 

★index=“nc” | lookup “240520_Macaddr_glpi.csv” MACAddr1 AS CL_MacAddr result.

Fields such as PC_Name do not appear here.

NC_AS_3-1716531078261.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @NC_AS,

probably the values in MACAddr1 and CL_MacAddr doesn't match.

Did you unflagged the case sensitivity in the lookup definition?

Then check if there are spaces in the lookup values.

Ciao.

Giuseppe

0 Karma

NC_AS
Explorer

@gcusello 

ルックアップ定義で大文字と小文字の区別のフラグを解除しましたか?


Did you unflagged the case sensitivity in the lookup definition?


The cause was here!
Resolved!

Thank you very much for your help.
Thanks for your help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @NC_AS ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

NC_AS
Explorer

And, I'm not getting the following message

0 Karma

NC_AS
Explorer

Sorry,,

 

And, I'm not getting the following message

 

Error in 'lookup' command: Cannot find the source field 'xxx' in the lookup table 'lookup.csv'.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...