Splunk Search

After defining an automatic lookup in Splunk Web on the search head, why is the lookup not working at all?

olavo123
Explorer

Hi

I have separate machines for a Search Head and Indexer. In Splunk Web on the Search Head, I went through the different steps as shown in the Splunk tutorial to define automatic lookup based on a single lookup table uploaded as .csv file.

For example, lets assume, I have city_code, city_name in the csv file.
In my events for different sourcetypes, I have the city_code field (named in different ways depending on the sourcetype). All I need is for Splunk to look for this field "city_code" and then output the field "city_name" in the matching events.

I only did the config on Search Head as my web interface is disabled on the Indexer.

Its not working at all. Is there some manual steps I need to follow like manually editing transforms.conf file?

-Olavo

0 Karma

narwhal
Splunk Employee
Splunk Employee

Is this a lookup failure or an automatic lookup issue? That is, does the lookup work manually? ( ... | lookup lookupName lookupKeyValue OUTPUT lookupOutputValue ) ???

0 Karma

olavo123
Explorer

If I run the lookup manually, then I dont get the required output, although there is no error message. Its just that the Output fields do not appear at all.

-Olavo

0 Karma

olavo123
Explorer

Appears to me that the Search Head is not sending the lookup definition to the Indexer. I assumed that once Search Head sends the lookup definition to the Indexer, it will be stores at the following path on the indexer : $SPLUNK_HOME/etc/system/local/transform.conf.

I don’t see this file being created on the indexer.

0 Karma

somesoni2
Revered Legend

I hope you've created the automatic lookup on Search Head using instructions mentioned here
http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

For automatic lookup, the lookup table should be part of knowledge bundle Search Head sends to its Peers (Indexers). Check if the lookup tables are blacklisted/whitelisted from knowledge bundle. See this (lookup for value for "replicate.lookups")
http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Limittheknowledgebundlesize

0 Karma

olavo123
Explorer

Thanks so much. I will check it out your suggestions.

-Olavo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...