Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup Table Issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup Table Issues
would inputs.csv be a better way to conduct this type of operation. Say i have 100 hosts comming in from my cmdb everyday and i want to run a report on 65 of thoese hostnames that are dynamic and are not going to be the same two days in a row. Is there a way to take the csv file that is going to be exported daily from my cmdb and then run it against a precreated report in splunk. This way i will not have to change the search query everyday and it will just run at a set time.
I have a lookup table that looks like this:
It is called host.csv
hostname
host1
host2
host3
host4
I do not understand why i can not import the information using the UI. I keep on getting this error message:Encountered the following error while trying to save: In handler 'lookup-table-files': File is binary and not gzipped
Then when i change it to binary, it says the same thing only though backwards. Does anyone have any suggestions? I am trying to set a lookup table equal to host1 host2 host3 host4 and then when i call the table it will run against all of these hosts. Any help would be helpful. This is the first lookup table i have ever created.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This issue happened with me when I've a column that has German letters ü,ß,ä ...
after I removed this column from csv file it uploaded successfully
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
would inputs.csv be a better way to conduct this type of operation. Say i have 100 hosts comming in from my cmdb everyday and i want to run a report on 65 of thoese hostnames that are dynamic and are not going to be the same two days in a row. Is there a way to take the csv file that is going to be exported daily from my cmdb and then run it against a precreated report in splunk. This way i will not have to change the search query everyday and it will just run at a set time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also check to see that the file is saved in UTF-8 format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This probably won't be the most helpful posting (sorry)...there was a previous Answer about this that points to (possibly hidden) special characters. Is that a possibility here? And I assume you are following the procedure in the documentation for doing lookups from a static file, and you've edited transforms.conf and props.conf and restarted Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to edit the transforms and props.conf files, i am just not sure if this is possible to do. I just want to grab the information from those host1,2,3,4 and set it equal to hostname.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
