Splunk Search

How to get a field from a lookup

proylea
Contributor

ok, here is my dilemma

I have a lookup table like this:

_raw,sourcetype,alertMessage,severity
 *Reloading repositories*,liferay,Reloading repositories,high
 *RememberMe*,liferay,Remember Me,low

When I do a search like this:

index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]

I get the correct number of results returned for the 2 strings in _raw in the lookup, so all good.

Now I would like to apply the lookup field called alertMessages to the matching _raw events.

I thought maybe something like this:

index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]| lookup update=true pre-ces-alerts.csv _raw OUTPUT alertMessage

but it's doesn't create the field alertMessages

If I select sourcetype as the lookup field like this:

index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]| lookup update=true pre-ces-alerts.csv sourcetype OUTPUT alertMessage

I get the alertMessage as an interesting field but both of the alertMessage strings get applied to every event because their sourcetype is the same.

What I suspect is that because my _raw lookup string is not an exact match to the _raw event field (albeit a wild card match) it doesn't apply the alertMessage field.

Can anyone tell me what I am missing here?

Kind Regards
Peter

Tags (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi proylea,

your using *RememberMe* and another wild card field in the lookup; did you configure the lookup to use match_type = WILDCARD(fieldname) in transforms.conf? The default for lookups is match_type = EXACT - see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf

Hope this helps ...

cheers, MuS

proylea
Contributor

Thanks MuS
I think that is my missing piece.
This is a Splunk cloud environment, can I make that change in the UI or do I need to pass a transforms.conf to the cloud team?

0 Karma

MuS
SplunkTrust
SplunkTrust

No UI access to any transforms.conf in cloud 😞 So, you need to pass it to the cloud ops ...

0 Karma

proylea
Contributor

Thanks MuS you're a legend

0 Karma

MuS
SplunkTrust
SplunkTrust

blush thanks 🙂

0 Karma

teunlaan
Contributor
0 Karma

proylea
Contributor

Thanks, but I have used the return command specifically because the format command was not returning the result correctly.

I am getting the correct number of results returned I am just unable to apply the alertMessage field from the lookup to the corresponding _raw events

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...