Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Automatic Lookup not working

gokulakrishnans
Explorer
‎07-10-2018 07:26 PM

I've followed http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups and looked at plenty of questions about the same topic on here and I still can't figure out what I'm doing wrong with my automatic lookup. I also watched a video on this but it didn't really show how the lookup was created.

Here's my csv file I want to use for a file based lookup:

Error_Desc.csv

ErrorCode,description
1,A
2,A
3,A
4,A

For Lookup Table Files I selected
this csv and gave it the same name
for Destination filename.

For Lookup Definitions, destination app is "search", name is "WAT_Lookups.csv", type is "file based", and the lookup file is "Error_Desc.csv".

For Automatic Lookups, I have the following

Lookup Table: Error_Desc)=
Lookup input fields - ErrorCode=ABCD.ReturnCode
Lookup Output fields - Description = Description
Apply to : sourcetype named ****

Query I used to search is index=*** sourcetype=*** |table ErrorCode Description. If I run this query I get the coulmns but black table. Not sure how to proceed.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-11-2018 02:31 AM

Your lookup file has a lowercase field description, your automatic lookup expects an uppercase field Description.

Reply

gokulakrishnans
Explorer
‎07-11-2018 08:37 AM

Fine. I will correct that. Please clarify me the following.

Lookup Table: Error_Desc
Lookup input fields - ErrorCode=ABCD.ReturnCode (or) ErrorCode (or) ReturnCode
Lookup Output fields - Description = Description "Do I have to make any modifications in this"
Apply to: sourcetype named

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...