Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Are there any known problems regarding missing values in big lookup-files and is there a solution for it?

christian_l
Path Finder
‎03-15-2013 06:16 AM

Hi all,

I got a problem while performing a lookup at a csv-file.
In general the lookup works fine, but its missing some of the looked-up values.
Here is my lookup-relevant search-string:

  | lookup my_lookup number as lookup-number OUTPUT description | eval description = if(description="","no description",description)

I pipe the results into a table with number and description. In this table some of the description columns are empty, unless the value exists inside the lookup-file.
There are no special characters in the missing value. I moved the regarding row at the top and end of the file which doesn't impact the results. Other values above and below the problem value work good in the lookup. Also the problem-row works fine, if its the only row inside the lookup-file.
There are several of this "problem-rows" spread over the lookup-file. As in my eval defined the values don't seem to be read as empty values ( "" ), because there are not replaced with "no description".
The lookup-file itself has a 531K size and 12925 rows in 2 columns.

I read about the change of processing lookup-files here http://splunk-base.splunk.com/answers/8228/lookup-table-limits but I don't think this is relevant for my problem.

Are there any known problems regarding missing values in big lookup-files and is there a solution for it?

Thanks all
Christian

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

christian_l
Path Finder
‎04-10-2013 04:49 AM

Problem solved!
I found some " in the lookup file. Looks like the splunk lookup gets in trouble if only one " is appearing per lookup-file line.
It results in strange behaviour as described above. The lines between a first single-" and the next " getting an null content.
After letting sed delete all the " in the file, the lookup works fine!
As I use a script to fill the lookup files it was easy to add the following sed command:

sed -i 's/"//g' $LOOKUP_FILE

Now every future lookup-file should be compatible.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

christian_l
Path Finder
‎04-10-2013 04:49 AM

Problem solved!
I found some " in the lookup file. Looks like the splunk lookup gets in trouble if only one " is appearing per lookup-file line.
It results in strange behaviour as described above. The lines between a first single-" and the next " getting an null content.
After letting sed delete all the " in the file, the lookup works fine!
As I use a script to fill the lookup files it was easy to add the following sed command:

sed -i 's/"//g' $LOOKUP_FILE

Now every future lookup-file should be compatible.

0 Karma
Reply
Solved! Jump to solution

christian_l
Path Finder
‎03-15-2013 09:17 AM

Here are two examples from the lookup-file:

Working rows:

P 012035,WLAN Problems
P 012049,PJ: APC Smart UPS 2200

Problem rows:

P 011678,Testing
P 011115,PJ: Checkpoint Appliance Upgrade

Hint: The file is sorted by the P-number. My tests showed me there is no relevance if the problem row is at the top or bottom of the file.

0 Karma
Reply
Solved! Jump to solution

Strype
Path Finder
‎03-15-2013 08:43 AM

Can you show an example of a working row vs. the problem row?

0 Karma
Reply
Solved! Jump to solution

Strype
Path Finder
‎03-15-2013 09:34 AM

Okay well in my experience (which is short) the data would be missing from ALL rows below a missing comma or a space after a row. So my guess is search logic.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...