Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Automatic lookups and rangemap

bowesmana
SplunkTrust
SplunkTrust
‎11-06-2016 11:58 PM

I think I am going mad...

I set up a lookup table (points.csv) containing

range,Place,Points
2013,1,20
2013,2,15
2013,3,11
2013,4,8
2013,5,6
2013,6,5
2013,7,4
2013,8,3
2013,9,2
2013,0,1
2004,1,5
2004,2,4
2004,3,3
2004,4,2
2004,0,1
1995,1,5
1995,2,4
1995,3,3
1995,4,2
1995,0,1

I created a lookup in transforms.conf

[placepoints]
filename = points.csv

I created an automatic lookup

[bbr*]
LOOKUP-placepoints = placepoints Place range OUTPUTNEW Points AS PlacePoints

This search

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7
| rangemap field=Year 1995=0-2003 2004=2004-2012 2013=2013-9999 
| table Name, Place, Points, PlacePoints 
| sort - Points

I am pretty sure when I created this the first time it worked, however, I deleted the lookup and then have tried various incarnations of new attempts to get it to work again without luck and now I doubt I ever did get it to work,

Putting the lookup in manually as in

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7
| rangemap field=Year 1995=0-2003 2004=2004-2012 2013=2013-9999 
| lookup placepoints Place range OUTPUTNEW Points as PlacePoints
| table Name, Place, Points, PlacePoints 
| sort - Points

works fine and I get PlacePoints (or any other name I use).

So I started to wonder if it ever worked and the order or rangemap and automatic lookups. Is the range field available when the automatic lookup is run, i.e. does it run before the rangemap process or after it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-07-2016 01:41 AM

The automatic lookup will occur prior to the rangemap.

However, you cannot use wildcards in props.conf for sourcetype stanzas. So I don't think your automatic lookup is happening.
Second, automatic lookups happen as part of the base search processing.
Just run the search:

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7

Both fields Place and range must exist in the search results, or else the automatic lookup will not return any results. Even after you fix the name of the stanza to match the sourcetype.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-07-2016 01:41 AM

The automatic lookup will occur prior to the rangemap.

However, you cannot use wildcards in props.conf for sourcetype stanzas. So I don't think your automatic lookup is happening.
Second, automatic lookups happen as part of the base search processing.
Just run the search:

index="bbr" sourcetype="bbr*" source="BBR*csv" host="Atacama" Event=10km Year=2016 Month=7

Both fields Place and range must exist in the search results, or else the automatic lookup will not return any results. Even after you fix the name of the stanza to match the sourcetype.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2016 02:08 AM

Thanks, I had got to the wildcards in sourcetype stanzas issue, so fixed that and you are right, it still did not work. What you say makes sense, but I just can't figure out why I believe it worked when I first created the automatic lookup - but that's now lost in the depths of time, so I'll go with your answer and work on the basis of the manual lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...