Please tell me about the lookup operation.
1. when you register a new lookup table file (CSV) from the GUI, you can immediately refer to it on the search screen.
| inputlookup “lookup.csv”
However, it does not appear in the list of files in the “Lookup File” pull-down on the next Create New Lookup Definition screen. It takes time to set up because it appears after more than one day each time.
Is this due to a limitation caused by the specifications?
If you know the cause, please let us know.
2. no lookup
The following CSV file is registered, and lookup definitions and automatic definitions are also set.
【lookup.csv】
PC_Name | Status | MacAddr1 | MacAddr2
------------------------------------------------------------
PC_Name1 | Used | aa:bb:cc... | zz:yy:xx...
PC_Name2 | Used | aa:bb:cc... | zz:yy:xx...
PC_Name3 | Used | aa:bb:cc... | zz:yy:xx...
*MacAddr1 and MacAddr2 by Ethernet and WiFi Address, I want to refer to MacAddr2 as a key.
The following fields are output in the target index log
CL_MacAddr as defined in the calculated field
I would like to reference the Mac address of this CL_MacAddr from lookup.csv and output PC_Name and Status as fields, but it is not working.
For example, when I enter the following in the search screen, only the existing fields appear, not PC_Name, Status, etc.
index=“nc-wlx402” sourcetype=“NC-WIFI-3” | lookup “lookup.csv” MACAddr2 AS CL_MacAddr OutputNew
However, another lookup definition is available for the same index and source type (automatic definition setting, confirmed operation).
I'm assuming this is due to something basic...
please help me
ルックアップ定義で大文字と小文字の区別のフラグを解除しましたか?
Did you unflagged the case sensitivity in the lookup definition?
The cause was here!
Resolved!
Thank you very much for your help.
Thanks for your help.
Hi @NC_AS,
how did you create your lookup: using the Splunk App for Lookup Editing or by GUI [Settings > Lookups >Lookp File]?
if the second case, which are the permissions of your lookup? usualy they are Global.
At least, after few minuts, can you see the lookup in the dropdown list in the lookup Definition? I usually don't need any time to see the lookups in this dropdown list.
Then, use OUTPUT or OUTPUTNES when you want to define the fields to add to your search, or don't use use it, in other words, don't use empty OUTPUTNEW as you did.
Last thing, the error you described, is when you asked a wrong lookup field: check the field name you used remembering that field names are case sensitive.
Ciao.
Giuseppe
Thanks for the reply. @gcusello
I was setting up lookups from the GUI, from Setting>Lookup, uploading lookup files, defining them, and setting up automatic lookups (now only automatic lookups are unset).
Setting the permissions to global did not solve the problem.
Also, when I entered the following in the search screen, the records associated with the value of value could be displayed in the results.
| makeresults count=1 | eval value=“cc:00:00:ab:cd:99” | lookup “240520_Macaddr_glpi.csv” MACAddr1 AS value
But also in the search screen
index=“nc” | lookup “240520_Macaddr_glpi.csv” MACAddr1 AS CL_MacAddr
Or
index=“nc” | lookup “240520_Macaddr_glpi.csv” MACAddr1
I could not find any PC_Name or Status in the fields. The result is the same as a search without the lookup function.
CL_MacAddr is a field with already defined MacAdress.
Can you think of any other possible causes?
★| makeresults count=1 | eval value="cc:00:00:ab:cd:99" | lookup "240520_Macaddr_glpi.csv" MACAddr1 AS value result
It would be nice if they would also show PC_Name, etc. from the log MacAdress like this...
★index=“nc” | lookup “240520_Macaddr_glpi.csv” MACAddr1 AS CL_MacAddr result.
Fields such as PC_Name do not appear here.
Hi @NC_AS,
probably the values in MACAddr1 and CL_MacAddr doesn't match.
Did you unflagged the case sensitivity in the lookup definition?
Then check if there are spaces in the lookup values.
Ciao.
Giuseppe
ルックアップ定義で大文字と小文字の区別のフラグを解除しましたか?
Did you unflagged the case sensitivity in the lookup definition?
The cause was here!
Resolved!
Thank you very much for your help.
Thanks for your help.
Hi @NC_AS ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
And, I'm not getting the following message
Sorry,,
And, I'm not getting the following message
Error in 'lookup' command: Cannot find the source field 'xxx' in the lookup table 'lookup.csv'.