Splunk Search

After defining an automatic lookup in Splunk Web on the search head, why is the lookup not working at all?

olavo123
Explorer

Hi

I have separate machines for a Search Head and Indexer. In Splunk Web on the Search Head, I went through the different steps as shown in the Splunk tutorial to define automatic lookup based on a single lookup table uploaded as .csv file.

For example, lets assume, I have city_code, city_name in the csv file.
In my events for different sourcetypes, I have the city_code field (named in different ways depending on the sourcetype). All I need is for Splunk to look for this field "city_code" and then output the field "city_name" in the matching events.

I only did the config on Search Head as my web interface is disabled on the Indexer.

Its not working at all. Is there some manual steps I need to follow like manually editing transforms.conf file?

-Olavo

0 Karma

narwhal
Splunk Employee
Splunk Employee

Is this a lookup failure or an automatic lookup issue? That is, does the lookup work manually? ( ... | lookup lookupName lookupKeyValue OUTPUT lookupOutputValue ) ???

0 Karma

olavo123
Explorer

If I run the lookup manually, then I dont get the required output, although there is no error message. Its just that the Output fields do not appear at all.

-Olavo

0 Karma

olavo123
Explorer

Appears to me that the Search Head is not sending the lookup definition to the Indexer. I assumed that once Search Head sends the lookup definition to the Indexer, it will be stores at the following path on the indexer : $SPLUNK_HOME/etc/system/local/transform.conf.

I don’t see this file being created on the indexer.

0 Karma

somesoni2
Revered Legend

I hope you've created the automatic lookup on Search Head using instructions mentioned here
http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

For automatic lookup, the lookup table should be part of knowledge bundle Search Head sends to its Peers (Indexers). Check if the lookup tables are blacklisted/whitelisted from knowledge bundle. See this (lookup for value for "replicate.lookups")
http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Limittheknowledgebundlesize

0 Karma

olavo123
Explorer

Thanks so much. I will check it out your suggestions.

-Olavo

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...