- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- After defining an automatic lookup in Splunk Web o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After defining an automatic lookup in Splunk Web on the search head, why is the lookup not working at all?
Hi
I have separate machines for a Search Head and Indexer. In Splunk Web on the Search Head, I went through the different steps as shown in the Splunk tutorial to define automatic lookup based on a single lookup table uploaded as .csv file.
For example, lets assume, I have city_code, city_name in the csv file.
In my events for different sourcetypes, I have the city_code field (named in different ways depending on the sourcetype). All I need is for Splunk to look for this field "city_code" and then output the field "city_name" in the matching events.
I only did the config on Search Head as my web interface is disabled on the Indexer.
Its not working at all. Is there some manual steps I need to follow like manually editing transforms.conf file?
-Olavo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a lookup failure or an automatic lookup issue? That is, does the lookup work manually? ( ... | lookup lookupName lookupKeyValue OUTPUT lookupOutputValue ) ???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I run the lookup manually, then I dont get the required output, although there is no error message. Its just that the Output fields do not appear at all.
-Olavo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appears to me that the Search Head is not sending the lookup definition to the Indexer. I assumed that once Search Head sends the lookup definition to the Indexer, it will be stores at the following path on the indexer : $SPLUNK_HOME/etc/system/local/transform.conf.
I don’t see this file being created on the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope you've created the automatic lookup on Search Head using instructions mentioned here
http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Usefieldlookupstoaddinformationtoyoureve...
For automatic lookup, the lookup table should be part of knowledge bundle Search Head sends to its Peers (Indexers). Check if the lookup tables are blacklisted/whitelisted from knowledge bundle. See this (lookup for value for "replicate.lookups")
http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Limittheknowledgebundlesize
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much. I will check it out your suggestions.
-Olavo
Monitoring MariaDB and MySQL
Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...
Splunk Federated Analytics for Amazon Security Lake
