Solved: Re: Lookup does not return data

pramit46 · ‎07-21-2016

I am doing a small proof of concept on lookup command.
I have a look up csv file with the table:

env    status    date
prod     up    7/21/2016
int      up    7/20/2016
sit     down   7/19/2016
qa      down   7/21/2016
test    down   7/20/2016
stage   down   7/18/2016

Now I have setup the lookup definition ( lookup_try ) with global permission.

Then I try to run this command:

index=* |head 1|eval env="Prod"|lookup lookup_try env OUTPUT status date

It does not print the values of status and date. Where am I going wrong?

hardikJsheth · ‎07-21-2016

You can make lookup search case insensitive by adding case_sensitive_match =false in your lookup stanza.

View solution in original post

hardikJsheth · ‎07-21-2016

You can make lookup search case insensitive by adding case_sensitive_match =false in your lookup stanza.

woodcock · ‎07-21-2016

Lookups are CASE-SENSITIVE by default (but there is a setting to make them case-insensitive). Try this (cut and paste exactly as is):

| noop | stats count AS env |eval env="prod" | lookup lookup_try env

gcusello · ‎07-21-2016

are you sure of the name of the lookup? its name is lookup_try or lookup_try.csv?
You can try it with | inputlookup command
| inputlookup lookup_try.csv
Bye.
Giuseppe

Javip · ‎07-21-2016

Hi!

I suppose you've tested this search before and you can see your CSV list:
| inputlookup lookup_try.csv

If ok, try this:
index=* |head 1|eval env="prod"|lookup lookup_try env OUTPUT status date

Regards.

Lookup does not return data

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor