Splunk Search

External file lookup is failing, possible due to a "/" character in the lookup fields.

Explorer

Hi all,

I'm having trouble getting an external file lookup to work in the Search app. I've setup a number of these previously and have had no issues but this one is failing and I can't seem to work out why. The props.conf and transforms.conf seem OK as if I add some dummy data I get the results I'm looking for but with the live data it's failing. I have a feeling it's because of the "/" characters in the initial lookup. Below is a sample of the lookup file :-

port,device

GigabitEthernet1/0/1,Server1

GigabitEthernet1/0/2,Server2

GigabitEthernet1/0/3,Server3

GigabitEthernet1/0/4,Server4

GigabitEthernet1/0/5,Server5

GigabitEthernet1/0/6,Server6

GigabitEthernet1/0/7,Server7

Can anyone confirm and let me know if there's any way I can work around this?

Thanks,

Martin

Tags (1)
0 Karma

Champion

All you need to do is ensure they're enclosed within speech marks, e.g.

"GigabitEthernet1/0/1",Server1
"GigabitEthernet1/0/2",Server2

Explorer

Thanks for the feedback guys. Still struggling even with the quotes around the text. I don't get any errors, just no results. I've tried a few variations of quotes too, singles and double.

0 Karma

Builder

You can replace the / character in your field if you want to test it out. One way you can do this is by using the eval mvsplit command to turn that field into a multi-valued field and then use the eval mvzip to put it back together with a new character to replace the /. Then just update your lookup to replace the / character as well.

I do however have a lookup with a / and it works.

Builder

I have a lookup that uses / within the field that I am looking up and it works.

0 Karma