Automatic Lookup not working

gokulakrishnans · ‎07-10-2018

I've followed http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups and looked at plenty of questions about the same topic on here and I still can't figure out what I'm doing wrong with my automatic lookup. I also watched a video on this but it didn't really show how the lookup was created.

Here's my csv file I want to use for a file based lookup:

Error_Desc.csv

ErrorCode,description
1,A
2,A
3,A
4,A

For Lookup Table Files I selected
this csv and gave it the same name
for Destination filename.

For Lookup Definitions, destination app is "search", name is "WAT_Lookups.csv", type is "file based", and the lookup file is "Error_Desc.csv".

For Automatic Lookups, I have the following

Lookup Table: Error_Desc)=
Lookup input fields - ErrorCode=ABCD.ReturnCode
Lookup Output fields - Description = Description
Apply to : sourcetype named ****

Query I used to search is index=*** sourcetype=*** |table ErrorCode Description. If I run this query I get the coulmns but black table. Not sure how to proceed.

martin_mueller · ‎07-11-2018

Your lookup file has a lowercase field description, your automatic lookup expects an uppercase field Description.

gokulakrishnans · ‎07-11-2018

Fine. I will correct that. Please clarify me the following.

Lookup Table: Error_Desc
Lookup input fields - ErrorCode=ABCD.ReturnCode (or) ErrorCode (or) ReturnCode
Lookup Output fields - Description = Description "Do I have to make any modifications in this"
Apply to: sourcetype named

Automatic Lookup not working

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...