Splunk Search

After defining an automatic lookup in Splunk Web on the search head, why is the lookup not working at all?

Explorer

Hi

I have separate machines for a Search Head and Indexer. In Splunk Web on the Search Head, I went through the different steps as shown in the Splunk tutorial to define automatic lookup based on a single lookup table uploaded as .csv file.

For example, lets assume, I have city_code, city_name in the csv file.
In my events for different sourcetypes, I have the city_code field (named in different ways depending on the sourcetype). All I need is for Splunk to look for this field "city_code" and then output the field "city_name" in the matching events.

I only did the config on Search Head as my web interface is disabled on the Indexer.

Its not working at all. Is there some manual steps I need to follow like manually editing transforms.conf file?

-Olavo

0 Karma

Splunk Employee
Splunk Employee

Is this a lookup failure or an automatic lookup issue? That is, does the lookup work manually? ( ... | lookup lookupName lookupKeyValue OUTPUT lookupOutputValue ) ???

0 Karma

Explorer

If I run the lookup manually, then I dont get the required output, although there is no error message. Its just that the Output fields do not appear at all.

-Olavo

0 Karma

Explorer

Appears to me that the Search Head is not sending the lookup definition to the Indexer. I assumed that once Search Head sends the lookup definition to the Indexer, it will be stores at the following path on the indexer : $SPLUNK_HOME/etc/system/local/transform.conf.

I don’t see this file being created on the indexer.

0 Karma

Revered Legend

I hope you've created the automatic lookup on Search Head using instructions mentioned here
http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

For automatic lookup, the lookup table should be part of knowledge bundle Search Head sends to its Peers (Indexers). Check if the lookup tables are blacklisted/whitelisted from knowledge bundle. See this (lookup for value for "replicate.lookups")
http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Limittheknowledgebundlesize

0 Karma

Explorer

Thanks so much. I will check it out your suggestions.

-Olavo

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!