Splunk Search

After defining an automatic lookup in Splunk Web on the search head, why is the lookup not working at all?

olavo123
Explorer

Hi

I have separate machines for a Search Head and Indexer. In Splunk Web on the Search Head, I went through the different steps as shown in the Splunk tutorial to define automatic lookup based on a single lookup table uploaded as .csv file.

For example, lets assume, I have city_code, city_name in the csv file.
In my events for different sourcetypes, I have the city_code field (named in different ways depending on the sourcetype). All I need is for Splunk to look for this field "city_code" and then output the field "city_name" in the matching events.

I only did the config on Search Head as my web interface is disabled on the Indexer.

Its not working at all. Is there some manual steps I need to follow like manually editing transforms.conf file?

-Olavo

0 Karma

narwhal
Splunk Employee
Splunk Employee

Is this a lookup failure or an automatic lookup issue? That is, does the lookup work manually? ( ... | lookup lookupName lookupKeyValue OUTPUT lookupOutputValue ) ???

0 Karma

olavo123
Explorer

If I run the lookup manually, then I dont get the required output, although there is no error message. Its just that the Output fields do not appear at all.

-Olavo

0 Karma

olavo123
Explorer

Appears to me that the Search Head is not sending the lookup definition to the Indexer. I assumed that once Search Head sends the lookup definition to the Indexer, it will be stores at the following path on the indexer : $SPLUNK_HOME/etc/system/local/transform.conf.

I don’t see this file being created on the indexer.

0 Karma

somesoni2
Revered Legend

I hope you've created the automatic lookup on Search Head using instructions mentioned here
http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

For automatic lookup, the lookup table should be part of knowledge bundle Search Head sends to its Peers (Indexers). Check if the lookup tables are blacklisted/whitelisted from knowledge bundle. See this (lookup for value for "replicate.lookups")
http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Limittheknowledgebundlesize

0 Karma

olavo123
Explorer

Thanks so much. I will check it out your suggestions.

-Olavo

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...