Splunk Search

Automatic lookups and rangemap

bowesmana
SplunkTrust
SplunkTrust

I think I am going mad...

I set up a lookup table (points.csv) containing

range,Place,Points
2013,1,20
2013,2,15
2013,3,11
2013,4,8
2013,5,6
2013,6,5
2013,7,4
2013,8,3
2013,9,2
2013,0,1
2004,1,5
2004,2,4
2004,3,3
2004,4,2
2004,0,1
1995,1,5
1995,2,4
1995,3,3
1995,4,2
1995,0,1

I created a lookup in transforms.conf

[placepoints]
filename = points.csv

I created an automatic lookup

[bbr*]
LOOKUP-placepoints = placepoints Place range OUTPUTNEW Points AS PlacePoints

This search

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7
| rangemap field=Year 1995=0-2003 2004=2004-2012 2013=2013-9999 
| table Name, Place, Points, PlacePoints 
| sort - Points

I am pretty sure when I created this the first time it worked, however, I deleted the lookup and then have tried various incarnations of new attempts to get it to work again without luck and now I doubt I ever did get it to work,

Putting the lookup in manually as in

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7
| rangemap field=Year 1995=0-2003 2004=2004-2012 2013=2013-9999 
| lookup placepoints Place range OUTPUTNEW Points as PlacePoints
| table Name, Place, Points, PlacePoints 
| sort - Points

works fine and I get PlacePoints (or any other name I use).

So I started to wonder if it ever worked and the order or rangemap and automatic lookups. Is the range field available when the automatic lookup is run, i.e. does it run before the rangemap process or after it.

0 Karma
1 Solution

lguinn2
Legend

The automatic lookup will occur prior to the rangemap.

However, you cannot use wildcards in props.conf for sourcetype stanzas. So I don't think your automatic lookup is happening.
Second, automatic lookups happen as part of the base search processing.
Just run the search:

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7

Both fields Place and range must exist in the search results, or else the automatic lookup will not return any results. Even after you fix the name of the stanza to match the sourcetype.

View solution in original post

0 Karma

lguinn2
Legend

The automatic lookup will occur prior to the rangemap.

However, you cannot use wildcards in props.conf for sourcetype stanzas. So I don't think your automatic lookup is happening.
Second, automatic lookups happen as part of the base search processing.
Just run the search:

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7

Both fields Place and range must exist in the search results, or else the automatic lookup will not return any results. Even after you fix the name of the stanza to match the sourcetype.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Thanks, I had got to the wildcards in sourcetype stanzas issue, so fixed that and you are right, it still did not work. What you say makes sense, but I just can't figure out why I believe it worked when I first created the automatic lookup - but that's now lost in the depths of time, so I'll go with your answer and work on the basis of the manual lookup.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...