ok, here is my dilemma
I have a lookup table like this:
_raw,sourcetype,alertMessage,severity
*Reloading repositories*,liferay,Reloading repositories,high
*RememberMe*,liferay,Remember Me,low
When I do a search like this:
index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]
I get the correct number of results returned for the 2 strings in _raw in the lookup, so all good.
Now I would like to apply the lookup field called alertMessages to the matching _raw events.
I thought maybe something like this:
index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]| lookup update=true pre-ces-alerts.csv _raw OUTPUT alertMessage
but it's doesn't create the field alertMessages
If I select sourcetype as the lookup field like this:
index=pre_ces [|inputlookup pre-ces-alerts.csv | return 100 $_raw ]| lookup update=true pre-ces-alerts.csv sourcetype OUTPUT alertMessage
I get the alertMessage as an interesting field but both of the alertMessage strings get applied to every event because their sourcetype is the same.
What I suspect is that because my _raw lookup string is not an exact match to the _raw event field (albeit a wild card match) it doesn't apply the alertMessage field.
Can anyone tell me what I am missing here?
Kind Regards
Peter
Hi proylea,
your using *RememberMe*
and another wild card field in the lookup; did you configure the lookup to use match_type = WILDCARD(fieldname)
in transforms.conf
? The default for lookups is match_type = EXACT
- see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Transformsconf
Hope this helps ...
cheers, MuS
Thanks MuS
I think that is my missing piece.
This is a Splunk cloud environment, can I make that change in the UI or do I need to pass a transforms.conf to the cloud team?
No UI access to any transforms.conf
in cloud 😞 So, you need to pass it to the cloud ops ...
Thanks MuS you're a legend
blush thanks 🙂
Think your missing the format command.
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Format
Thanks, but I have used the return command specifically because the format command was not returning the result correctly.
I am getting the correct number of results returned I am just unable to apply the alertMessage field from the lookup to the corresponding _raw events