Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Java SDK: how do you return lookup fields in search results?

scriv
Explorer
‎08-14-2017 03:35 PM

How do I receive lookup values in results from the Java SDK? When I run this query in the GUI, I see my lookup fields in grey as highlighted:
alt text
You can see the Region and Site fields.
However, I cannot see these fields in the event result in Java:

alt text

I added the setEnableLookups to the job arguments:
jobargs.setEnableLookups(true);
But still, they cannot be found. Am I looking in the wrong place? Do I need to enable something else?
Thanks,

Preview file
151 KB
Preview file
179 KB
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎08-22-2017 12:22 PM

There are a few routes here to take.

As @acruise mentions, you can |table Region Site * to explicitly declare the fields within the search.

You may also be experiencing a permissions issue with the lookups being in a different app context then where the search is being run. Check permissions, or use a different namespace in the JAVA.

Thirdly, You can try setting a jobArg with required fields. As documented, the events should return the fields, whether they are used or not. 

jobArgs.setRequiredFieldList(java.lang.String[] requiredFieldList)
Sets one or more required fields to the search. These fields, even if not referenced or used directly by the search, are still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view.

http://docs.splunk.com/DocumentationStatic/JavaSDK/1.6.0/index.html?com/splunk/JobArgs.html

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎08-22-2017 12:22 PM

There are a few routes here to take.

As @acruise mentions, you can |table Region Site * to explicitly declare the fields within the search.

You may also be experiencing a permissions issue with the lookups being in a different app context then where the search is being run. Check permissions, or use a different namespace in the JAVA.

Thirdly, You can try setting a jobArg with required fields. As documented, the events should return the fields, whether they are used or not. 

jobArgs.setRequiredFieldList(java.lang.String[] requiredFieldList)
Sets one or more required fields to the search. These fields, even if not referenced or used directly by the search, are still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view.

http://docs.splunk.com/DocumentationStatic/JavaSDK/1.6.0/index.html?com/splunk/JobArgs.html

Reply
Solved! Jump to solution

scriv
Explorer
‎08-23-2017 05:40 AM

Thanks for these tips. I eventually found the problem, and as you pointed out, it was to do with permissions. I had already set the permissions for the Lookup Table File and the definition to Global everyone, but, it turned out that I also needed to set this permission for the Automatic Lookup setting, as well! It's working perfectly now - thanks so much. And thanks @acruise, too!

Cheers

0 Karma
Reply
Solved! Jump to solution

acruise_splunk
Splunk Employee
Splunk Employee
‎08-22-2017 12:16 PM

I believe what you're seeing is due to Field Discovery -- search will show you fields that wouldn't be auto-extracted when you use lower-level query APIs. If you specifically request the fields you're looking for by name, It Should Just Work™! 🙂

0 Karma
Reply
Solved! Jump to solution

scriv
Explorer
‎08-23-2017 05:29 AM

Thanks @acruise. I added my response to alacercogitatus's Answer

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...