Splunk Search

Lookup query not working

snappersdad
New Member

All,

I am running Splunk 7.2.6 under Debian 9.9.

I am searching using index = main and picking the top 5 http status codes.

I am attempting to "pipe" those codes to a lookup function; however, I am not getting any output from the lookup command

Here is the first part of the Search String: index=main | top field11 showperc=false, showcount=false

Here is what the output looks like

field11

302

301

200

404

500

I am attempting to "pipe" the output to a lookup command: "lookup http_status status OUTPUT status_description, status_type"

Here is the contents of the http_status.csv file:

status,status_description,status_type
100,Continue,Informational
101,Switching Protocols,Informational
200,OK,Successful
201,Created,Successful
202,Accepted,Successful
203,Non-Authoritative Information,Successful
204,No Content,Successful
205,Reset Content,Successful
206,Partial Content,Successful
300,Multiple Choices,Redirection
301,Moved Permanently,Redirection
302,Found,Redirection
303,See Other,Redirection
304,Not Modified,Redirection
305,Use Proxy,Redirection
307,Temporary Redirect,Redirection
400,Bad Request,Client Error
401,Unauthorized,Client Error
402,Payment Required,Client Error
403,Forbidden,Client Error
404,Not Found,Client Error
405,Method Not Allowed,Client Error
406,Not Acceptable,Client Error
407,Proxy Authentication Required,Client Error
408,Request Timeout,Client Error
409,Conflict,Client Error
410,Gone,Client Error
411,Length Required,Client Error
412,Precondition Failed,Client Error
413,Request Entity Too Large,Client Error
414,Request-URI Too Long,Client Error
415,Unsupported Media Type,Client Error
416,Requested Range Not Satisfiable,Client Error
417,Expectation Failed,Client Error
500,Internal Server Error,Server Error
501,Not Implemented,Server Error
502,Bad Gateway,Server Error
503,Service Unavailable,Server Error
504,Gateway Timeout,Server Error
505,HTTP Version Not Supported,Server Error

Issue: I am not seeing either the status_description or the status_type in the output.

It's like the lookup is not working.

I can run the following command and see the http_status.csv file: |inputlookup http_status

Any help would be appreciated...

Thanks

0 Karma
1 Solution

solarboyz1
Builder

You need to tell the lookup which fields to match, in this case you want to match the status field in the lookup against field11

| lookup http_status status as field11 OUTPUT status_description, status_type

You could also rename field11 before doing the lookup:

| rename field11 as status
| lookup http_status status OUTPUT status_description, status_type

View solution in original post

0 Karma

solarboyz1
Builder

You need to tell the lookup which fields to match, in this case you want to match the status field in the lookup against field11

| lookup http_status status as field11 OUTPUT status_description, status_type

You could also rename field11 before doing the lookup:

| rename field11 as status
| lookup http_status status OUTPUT status_description, status_type
0 Karma

snappersdad
New Member

THANK YOU!

0 Karma

solarboyz1
Builder

Any time, if it worked please accept the answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...