Splunk Search
Highlighted

Lookup command not functioning properly

Engager

Hi all,

I have the following command:-

| savedsearch issuewithlookup team="$token$" teamfromroster="$token$" teamrostercount="$token$"
| eval team="$token$"
| eval currentowner = if(currentowner = "","NA", currentowner)
| eval ID = current
owner
| where currentowner != "NA"
| lookup example.csv name as current
owner OUTPUT sysid as **usersysid**
| table ticket
number, systemid, currentowner, assigneeID, team, reassignment, usersysid
| rename ticketnumber as ticketName, systemid as ticketID, currentowner as assigneeName, reassignment as reassignmentflag
| search NOT
[search index=abc earliest=-6m latest=now
| dedup ticketName | table ticketName ]

Now the issue is when I run this query, all the fields occur except usersysid whose value is definitely present in the lookup and should reflect but is not. This is a scheduled query which runs every 6 mins.

0 Karma
Highlighted

Re: Lookup command not functioning properly

Communicator

Are you saying that the field is blank or that the column is gone in your results?

0 Karma
Highlighted

Re: Lookup command not functioning properly

SplunkTrust
SplunkTrust

Okay, the way you debug something like this is to start one item at a time. Let's say that your lookup and your data supposedly include a team called "Rockets" with an owner called "Jim-Bob".

STEP ONE

| savedsearch issue_with_lookup team="$token$" team_from_roster="$token$" team_roster_count="$token$"
| eval team="$token$"
| where current_owner = "Jim-Bob"

Is the record there? Then proceed. If not, then figure out if the field name is wrong or whatever.

STEP TWO

| savedsearch issue_with_lookup team="$token$" team_from_roster="$token$" team_roster_count="$token$"
| eval team="$token$"
| where current_owner = "Jim-Bob"
| lookup example.csv name as current_owner OUTPUT sys_id as user_sys_id

Has the usersysid been added? if not, then check the exact spelling, or run this alternate way ...

| savedsearch issue_with_lookup team="$token$" team_from_roster="$token$" team_roster_count="$token$"
| eval team="$token$"
| where current_owner = "Jim-Bob"

| append [| inputlookup example.csv
      | table  name sys_id 
      | rename name as current_owner sys_id as user_sys_id
      | eval rectype = "lookup"
      ]
 | eventstats values(user_sys_id) as user_sys_id by current_owner
 | sort 0 current_owner

Look down in the order where Jim-Bob is supposed to be. Is it there now? is it on a single row? if there are two rows there, then there may be special characters in your lookup.

If you get this far and haven't solved it, or get any odd results in the above, then let us know and we can help debug further.

View solution in original post

Highlighted

Re: Lookup command not functioning properly

Engager

Hi, actually there wasn't an issue with the lookup, there was another file with which the name is matched with this lookup (defined in the savedsearch at the 1st line) and that name was inserted wrong( a "space error") .

Thank you for your response. I will definitely try this method as well as it looks more organised.

Highlighted

Re: Lookup command not functioning properly

SplunkTrust
SplunkTrust

Great, glad you got what you needed.

With this kind of issue, you always have to just keep cutting the problem in half and finding which half the error is in. Eventually, you run out of things that could be it.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.