Splunk Search

Automatic lookups and rangemap

Influencer

I think I am going mad...

I set up a lookup table (points.csv) containing

range,Place,Points
2013,1,20
2013,2,15
2013,3,11
2013,4,8
2013,5,6
2013,6,5
2013,7,4
2013,8,3
2013,9,2
2013,0,1
2004,1,5
2004,2,4
2004,3,3
2004,4,2
2004,0,1
1995,1,5
1995,2,4
1995,3,3
1995,4,2
1995,0,1

I created a lookup in transforms.conf

[placepoints]
filename = points.csv

I created an automatic lookup

[bbr*]
LOOKUP-placepoints = placepoints Place range OUTPUTNEW Points AS PlacePoints

This search

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7
| rangemap field=Year 1995=0-2003 2004=2004-2012 2013=2013-9999 
| table Name, Place, Points, PlacePoints 
| sort - Points

I am pretty sure when I created this the first time it worked, however, I deleted the lookup and then have tried various incarnations of new attempts to get it to work again without luck and now I doubt I ever did get it to work,

Putting the lookup in manually as in

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7
| rangemap field=Year 1995=0-2003 2004=2004-2012 2013=2013-9999 
| lookup placepoints Place range OUTPUTNEW Points as PlacePoints
| table Name, Place, Points, PlacePoints 
| sort - Points

works fine and I get PlacePoints (or any other name I use).

So I started to wonder if it ever worked and the order or rangemap and automatic lookups. Is the range field available when the automatic lookup is run, i.e. does it run before the rangemap process or after it.

0 Karma
1 Solution

Legend

The automatic lookup will occur prior to the rangemap.

However, you cannot use wildcards in props.conf for sourcetype stanzas. So I don't think your automatic lookup is happening.
Second, automatic lookups happen as part of the base search processing.
Just run the search:

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7

Both fields Place and range must exist in the search results, or else the automatic lookup will not return any results. Even after you fix the name of the stanza to match the sourcetype.

View solution in original post

0 Karma

Legend

The automatic lookup will occur prior to the rangemap.

However, you cannot use wildcards in props.conf for sourcetype stanzas. So I don't think your automatic lookup is happening.
Second, automatic lookups happen as part of the base search processing.
Just run the search:

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7

Both fields Place and range must exist in the search results, or else the automatic lookup will not return any results. Even after you fix the name of the stanza to match the sourcetype.

View solution in original post

0 Karma

Influencer

Thanks, I had got to the wildcards in sourcetype stanzas issue, so fixed that and you are right, it still did not work. What you say makes sense, but I just can't figure out why I believe it worked when I first created the automatic lookup - but that's now lost in the depths of time, so I'll go with your answer and work on the basis of the manual lookup.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!