Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can't get lookups to work

timmy13
Communicator
‎06-08-2011 12:24 PM

I am just using some test data that I generated to try to get lookups to work.

First, my log (completely manually generated and meaningless) file looks like this....

TimeDate:201108034352 USERID:100002 PRODUCTION:71

TimeDate:201105014327 USERID:100001 PRODUCTION:37

TimeDate:201112014446 USERID:100002 PRODUCTION:92

TimeDate:201107060448 USERID:100003 PRODUCTION:14

There are about 10000 lines.
I've extracted the USERID: value to a field called UserID

My lookup table, super simple, looks like this....

UserID,Username

100000,Elvis Presley

100001,Jim Morrison

100002,Jimi Hendrix

100003,Janis Joplin

This is uploaded, and location defined in the Manager/Lookups/Lookup Table Files, and Called UserFile

The Lookup is define in Manager/Lookups/Lookup Definitions, Named UserLookup, Type is filebased, and Lookup File is UserTable.

Finally, under Manager/Lookups/Automatic Lookups, I created an automatic lookup named Username Lookup. The Lookup Table is UserLookup. The input field is UserID=UserID, and the output field is Username=Username.

Obviously, the object here is to autolookup the Name field based on the UserID Field. But, it doesn't work. I dont' even see UserName in the field List.

It's gotta be something super dumb/simple I'm missing here.

Thanks in advance.

Tags (2)
0 Karma
Reply

cgkades
Explorer
‎07-02-2012 12:52 PM

Is there any way to have it auto look up the userid to username without having to manually create a table?

0 Karma
Reply

vshackler
New Member
‎06-29-2011 01:13 PM

I'm having the same problem as the original poster. The command

|inputlookup definition

returns my table. I'm still not seeing the new field as an available selection or filter in my searches, however.

0 Karma
Reply

ziegfried
Influencer
‎06-08-2011 02:07 PM

To validate that the lookup definition has been configured correctly, you can execute the following search:

| inputlookup UserLookup

This should give you the content of the lookup file in the search result.

Does this work?

0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎06-08-2011 02:03 PM

What happens when you do a search like "UserID=* | lookup UserLookup UserID OUTPUT Username"?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...