Splunk Search

Java SDK: how do you return lookup fields in search results?

scriv
Explorer

How do I receive lookup values in results from the Java SDK? When I run this query in the GUI, I see my lookup fields in grey as highlighted:
alt text
You can see the Region and Site fields.
However, I cannot see these fields in the event result in Java:

alt text

I added the setEnableLookups to the job arguments:
jobargs.setEnableLookups(true);
But still, they cannot be found. Am I looking in the wrong place? Do I need to enable something else?
Thanks,

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

There are a few routes here to take.

As @acruise mentions, you can |table Region Site * to explicitly declare the fields within the search.

You may also be experiencing a permissions issue with the lookups being in a different app context then where the search is being run. Check permissions, or use a different namespace in the JAVA.

Thirdly, You can try setting a jobArg with required fields. As documented, the events should return the fields, whether they are used or not.

jobArgs.setRequiredFieldList(java.lang.String[] requiredFieldList)
Sets one or more required fields to the search. These fields, even if not referenced or used directly by the search, are still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view.

http://docs.splunk.com/DocumentationStatic/JavaSDK/1.6.0/index.html?com/splunk/JobArgs.html

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

There are a few routes here to take.

As @acruise mentions, you can |table Region Site * to explicitly declare the fields within the search.

You may also be experiencing a permissions issue with the lookups being in a different app context then where the search is being run. Check permissions, or use a different namespace in the JAVA.

Thirdly, You can try setting a jobArg with required fields. As documented, the events should return the fields, whether they are used or not.

jobArgs.setRequiredFieldList(java.lang.String[] requiredFieldList)
Sets one or more required fields to the search. These fields, even if not referenced or used directly by the search, are still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view.

http://docs.splunk.com/DocumentationStatic/JavaSDK/1.6.0/index.html?com/splunk/JobArgs.html

scriv
Explorer

Thanks for these tips. I eventually found the problem, and as you pointed out, it was to do with permissions. I had already set the permissions for the Lookup Table File and the definition to Global everyone, but, it turned out that I also needed to set this permission for the Automatic Lookup setting, as well! It's working perfectly now - thanks so much. And thanks @acruise, too!

Cheers

0 Karma

acruise_splunk
Splunk Employee
Splunk Employee

I believe what you're seeing is due to Field Discovery -- search will show you fields that wouldn't be auto-extracted when you use lower-level query APIs. If you specifically request the fields you're looking for by name, It Should Just Work™! 🙂

0 Karma

scriv
Explorer

Thanks @acruise. I added my response to alacercogitatus's Answer

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...