Splunk Search

Edit an Automatic Lookup

zschmid
Path Finder

I have an automatic lookup in which i need to rename one of the lookup fields.

Right now whenever a search runs that has source="wsus" the automatic lookup correlates the hostname from the event with the hostname in the lookup file and adds both a business and sub_business field to the event. I need to rename the business field to "newbusiness", however in doing so, it seems as if the old automatic lookup field names are actually part of the event.

I was under the assumption that automatic lookups run at search time. Am I mistaken? Even after completely deleting the automatic lookup both the business, and sub_business fieldS still appear in the events, and if I try to rename the business field to newbusiness in the automatic lookup , when I run a search for source="wsus" it still returns only business and sub_business.

Any suggestions? Am I overlooking something? Your help is much appreciated.

Thanks!

Tags (1)
0 Karma
1 Solution

zschmid
Path Finder

I figured out the solution to this problem.

When defining a source in an automatic lookup they are case sensitive. WSUS != wsus. I defined my automatic lookup to look for source=wsus when all my events were tagged with source=WSUS .

Somewhat of a minor annoyance and was a litle more of a headache to figure out than I would have liked.

I wish there was a little more consistency in the way that Splunk handles case sensitivity and this is a perfect example.

If from a splunk search I can search for sourec=wsus and it'll return something that is defined as source=WSUS, shouldn't the same logic apply to an automatic lookup?

Again, minor annoyance but hopefully this saves someone some time if you run into the same problem.

Thanks!

View solution in original post

zschmid
Path Finder

I figured out the solution to this problem.

When defining a source in an automatic lookup they are case sensitive. WSUS != wsus. I defined my automatic lookup to look for source=wsus when all my events were tagged with source=WSUS .

Somewhat of a minor annoyance and was a litle more of a headache to figure out than I would have liked.

I wish there was a little more consistency in the way that Splunk handles case sensitivity and this is a perfect example.

If from a splunk search I can search for sourec=wsus and it'll return something that is defined as source=WSUS, shouldn't the same logic apply to an automatic lookup?

Again, minor annoyance but hopefully this saves someone some time if you run into the same problem.

Thanks!

twinspop
Influencer

Wow, thanks for this tip. That sure sounds like a bug, but this answer is 2 years old and this behavior is still present in 5.0.2. 😞

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Lookups only run at search time, so if the fields are getting looked up and added to the event, it seems like there's some configuration problem, perhaps in a different app or a private user context.

Note that a lookup can be configured to output the field names differently from what's in the file, e.g.:

LOOKUP-1 = mylookup infield1 OUTPUT filefieldname AS displayfieldname file2 AS displayfield2
0 Karma

zschmid
Path Finder

We're actually just using the | table field1, field2, field3, field4 to dump those records into the summary

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Uh, and are you generating the summary using stats or sistats (or another si command)?

0 Karma

zschmid
Path Finder

I'll continue to poke around and see if I find anything. Just to confirm the job name is indeed WSUS and it's displaying as source=wsus (and returning) events in the summary index

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I guess you could run a lookup on a summary index, but the "source" is the name of the job that inserted the data, and that's probably what you need to base it on.

0 Karma

zschmid
Path Finder

A few more findings. After doing some investigating I've realized i'm actually running the automatic lookup on sourcetype (not source), which means it's running the lookup on the scheduled searches prior to inserting them into the summary index. That explains the stored fields.

However my question remains, Can you run an automatic lookup on a summary index? I've created a new automatic lookup with source=wsus but when i run it on the summary index, no fields are added to the events.

0 Karma

zschmid
Path Finder

Thanks. I've restarted a few times but nothing seem to took. Gkanapathy - to answer your question, yes this is running in a distributed environment.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Oh yeah, have you restarted? Also, do you happen to have a distributed environment, or just a single server?

0 Karma

David
Splunk Employee
Splunk Employee

When troubleshooting configuration changes that don't seem to apply, I'm a big fan of frequent restarts and (on linux) "cd /opt/splunk/etc && grep -R sub_business" or (on windows) "cd c:\Program Files\Splunk\etc && findstr /snip sub_business ."

0 Karma

zschmid
Path Finder

Thanks for your quick response. Do have any suggestions where to begin troubleshooting a configuration issue?
I understand that I can rename the output field names differently than what is in the file, however this doesnt really seem to be the issue. Regardless of what I put only the original field names appear.

I should also note that this is source="wsus" is in a summary index, but I figured that shouldn't make a difference.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...