Re: How do I get Automatic Lookup to handle null v...

khudson3 · ‎09-20-2019

My automatic lookup csv file is using say 2 columns; Col1 & Col2. Row entries are 'Success' & 'Failure' in Col1. Col 2 has the value / char '1' & null / no value entry in the opposite cells. I want searches to lookup and replace null with value=Failure. I'm seeing the mapping for 'Success' working but nothing for null / no cell value entry. Is there a csv file value / character entry that maps to null search value?

woodcock · ‎10-14-2019

You can add | fillnull value="Failure" after the lookup or you can create a lookup definition that sets a default value and use the lookup definition with the | lookup call (not the lookup file).

HiroshiSatoh · ‎09-20-2019

Isn't it possible to use calculated fields instead of "automatic lookup"?

DavidHourani · ‎09-23-2019

yeah that's a better idea if it's just success/failure 🙂

khudson3 · ‎09-23-2019

The real life scenario is mapping to lists from a specification, where there will be more than just two outcomes:

Col1,Col2
No failure,null
Source application or not sent,0
System,1

DavidHourani · ‎09-23-2019

why not just use fillnull first and follow that up with a lookup ?

khudson3 · ‎09-23-2019

Yes I could easily workaround the issue with fullnull or eval etc. But I wanted to understand whether there was a direct csv mapping that could work, as it seems quite poor if automatic lookup cannot handle null values appropriately.

richgalloway · ‎09-20-2019

The easiest thing to do is change the lookup csv file to not have an empty Col2.

---
If this reply helps you, Karma would be appreciated.

khudson3 · ‎09-22-2019

Null is being returned for the search that the lookup is running on, so 0 cannot be used and the fullnull command can only be executed after the search. Need to know whether there is a csv mapping for null char.

richgalloway · ‎09-23-2019

Have you tried using isnull to test the output of the lookup? Share your query and I may be able to be more specific?

---
If this reply helps you, Karma would be appreciated.

khudson3 · ‎09-23-2019

Yes I've tried issull. My search events are returning true null values, but the auto lookup is not applying / handling the transformation and the values remain null. In the auto lookup csv I've used entries ="",empty etc.

If I use | fillnull value=- or equiv then I see the null automatic lookup new fields but the data is still null.

The search query does not really have a bearing on the question as it contains no transformations.

khudson3 · ‎09-20-2019

Doesn't have an empty Col2 it has 1 & null cells. 1 is working for Success whereas null is not being mapped.

khudson3 · ‎09-20-2019

Col1 Col2
Success 1
Failure

richgalloway · ‎09-20-2019

null==empty. If you can change the CSV file to have

Col1,Col2
Success,1
Failure,0

then you'll avoid convoluted SPL.

---
If this reply helps you, Karma would be appreciated.

How do I get Automatic Lookup to handle null value lookups?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk