Splunk Search

Lookup query not working

New Member

All,

I am running Splunk 7.2.6 under Debian 9.9.

I am searching using index = main and picking the top 5 http status codes.

I am attempting to "pipe" those codes to a lookup function; however, I am not getting any output from the lookup command

Here is the first part of the Search String: index=main | top field11 showperc=false, showcount=false

Here is what the output looks like

field11

302

301

200

404

500

I am attempting to "pipe" the output to a lookup command: "lookup httpstatus status OUTPUT statusdescription, status_type"

Here is the contents of the http_status.csv file:

status,statusdescription,statustype
100,Continue,Informational
101,Switching Protocols,Informational
200,OK,Successful
201,Created,Successful
202,Accepted,Successful
203,Non-Authoritative Information,Successful
204,No Content,Successful
205,Reset Content,Successful
206,Partial Content,Successful
300,Multiple Choices,Redirection
301,Moved Permanently,Redirection
302,Found,Redirection
303,See Other,Redirection
304,Not Modified,Redirection
305,Use Proxy,Redirection
307,Temporary Redirect,Redirection
400,Bad Request,Client Error
401,Unauthorized,Client Error
402,Payment Required,Client Error
403,Forbidden,Client Error
404,Not Found,Client Error
405,Method Not Allowed,Client Error
406,Not Acceptable,Client Error
407,Proxy Authentication Required,Client Error
408,Request Timeout,Client Error
409,Conflict,Client Error
410,Gone,Client Error
411,Length Required,Client Error
412,Precondition Failed,Client Error
413,Request Entity Too Large,Client Error
414,Request-URI Too Long,Client Error
415,Unsupported Media Type,Client Error
416,Requested Range Not Satisfiable,Client Error
417,Expectation Failed,Client Error
500,Internal Server Error,Server Error
501,Not Implemented,Server Error
502,Bad Gateway,Server Error
503,Service Unavailable,Server Error
504,Gateway Timeout,Server Error
505,HTTP Version Not Supported,Server Error

Issue: I am not seeing either the statusdescription or the statustype in the output.

It's like the lookup is not working.

I can run the following command and see the httpstatus.csv file: |inputlookup httpstatus

Any help would be appreciated...

Thanks

0 Karma
1 Solution

Builder

You need to tell the lookup which fields to match, in this case you want to match the status field in the lookup against field11

| lookup http_status status as field11 OUTPUT status_description, status_type

You could also rename field11 before doing the lookup:

| rename field11 as status
| lookup http_status status OUTPUT status_description, status_type

View solution in original post

0 Karma

Builder

You need to tell the lookup which fields to match, in this case you want to match the status field in the lookup against field11

| lookup http_status status as field11 OUTPUT status_description, status_type

You could also rename field11 before doing the lookup:

| rename field11 as status
| lookup http_status status OUTPUT status_description, status_type

View solution in original post

0 Karma

New Member

THANK YOU!

0 Karma

Builder

Any time, if it worked please accept the answer.

0 Karma