Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get a field from a lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get a field from a lookup
ok, here is my dilemma
I have a lookup table like this:
_raw,sourcetype,alertMessage,severity
*Reloading repositories*,liferay,Reloading repositories,high
*RememberMe*,liferay,Remember Me,low
When I do a search like this:
index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]
I get the correct number of results returned for the 2 strings in _raw in the lookup, so all good.
Now I would like to apply the lookup field called alertMessages to the matching _raw events.
I thought maybe something like this:
index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]| lookup update=true pre-ces-alerts.csv _raw OUTPUT alertMessage
but it's doesn't create the field alertMessages
If I select sourcetype as the lookup field like this:
index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]| lookup update=true pre-ces-alerts.csv sourcetype OUTPUT alertMessage
I get the alertMessage as an interesting field but both of the alertMessage strings get applied to every event because their sourcetype is the same.
What I suspect is that because my _raw lookup string is not an exact match to the _raw event field (albeit a wild card match) it doesn't apply the alertMessage field.
Can anyone tell me what I am missing here?
Kind Regards
Peter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi proylea,
your using *RememberMe* and another wild card field in the lookup; did you configure the lookup to use match_type = WILDCARD(fieldname) in transforms.conf? The default for lookups is match_type = EXACT - see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS
I think that is my missing piece.
This is a Splunk cloud environment, can I make that change in the UI or do I need to pass a transforms.conf to the cloud team?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No UI access to any transforms.conf in cloud 😞 So, you need to pass it to the cloud ops ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS you're a legend
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
blush thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Think your missing the format command.
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but I have used the return command specifically because the format command was not returning the result correctly.
I am getting the correct number of results returned I am just unable to apply the alertMessage field from the lookup to the corresponding _raw events
Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
