Hello,
I am not sure what I am doing wrong but logically I feel this search string should work however it isn't working.
S here is a description of what I am trying to do, I am trying to run a search of my data in Splunk, then output a field named DNS, then lookup each DNS field in a lookup csv file and where there is a match it should output the corresponding Owner. Here is the search string;
index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv dns OUTPUT Owner | table dns Owner
What am I doing wrong here, I get the dns field but no Owner field is populated?
Check the field name in the ServerList.csv file which corresponds to field dns. If they don't have same name OR case is different, above will not work.
In case they are different OR of different case, use this
index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv FieldNameInlookup as dns OUTPUT Owner | table dns Owner
Based on your description, all of these MUST be true (and probably one ore more is not) for it to work:
1: There is a field in your events called dns
(spelling and punctuation must be exact)
2: There is a field in your lookup file called dns
(spelling and punctuation must be exact)
3: There is a field in your lookup file called Owner
(spelling and punctuation must be exact)
Also, there should be (and in the latest versions of Splunk possibly must be) a lookup definition
with ServerList.csv
as the name and as the file to reference.
Also check the logs for bundle replication
problems.
Check the field name in the ServerList.csv file which corresponds to field dns. If they don't have same name OR case is different, above will not work.
In case they are different OR of different case, use this
index=main sourcetype=ServerList dns=* | dedup dns | table dns | lookup ServerList.csv FieldNameInlookup as dns OUTPUT Owner | table dns Owner
I am really confused here as I have minimum of at least 25 searches utilizing the csv file for different types of lookup and I am getting the expected result however this one in particular isn't working.
The fields are correct, word for word. it does actually run, it just doesn't return any values for the Owner field. If the field didn't exist I should get an error that it can't match the fields.
And you validated that the DNS from your search results are available in the lookup file?
Run this and see if this returns anything.
index=main sourcetype=ServerList dns=* | dedup dns | table dns | eval From="search"| append [| inputlookup ServerList.csv | table dns Owner | eval From="lookup" ] | stats values(*) as * by dns
Yes I validated the values from the DNS exist in the lookup file.
I ran the each you suggested, I get the DNS from the search, I also get the DNS from the lookupfile with the respective Owners against them.
I guess this confirms the lookup file works and the search criteria works as well. So what do I do to make it work out now?