Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup search query results to null

SasiB137
Engager
‎06-16-2015 06:12 PM

csv file users_timeout_value_map.csv content.
TIMEOUT,TIMEOUT_VAL

default_timeout,300

transformes.conf

[users_timeout_value_lookup]
filename = users_timeout_value_map.csv
Question
... | lookup users_timeout_value_lookup TIMEOUT OUTPUT TIMEOUT_VAL | eval TIMEOUT_VALUE=if(isnull(TIMEOUT),18000,TIMEOUT_VAL*60) | table TIMEOUT_VALUE

This always results 1800 as TIMEOUT results to null. Can any one help me plz.

Thanks,
Sasi.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-16-2015 09:48 PM

First, the file name is transforms.conf not transformers.conf, but that is probably just a typo.

Second, you are showing what is in the CSV file, but what is in the search results? The lookup command expects that your search results will include a field named TIMEOUT that can be used in the lookup. if the search results do not contain this field, then you will always get a result of 18000.

If your search results return a field with a different name, then you can use

| lookup users_timeout_value_lookup TIMEOUT as yourfieldname OUTPUT TIMEOUT_VAL

to tell Splunk which field to match against the TIMEOUT field of the CSV file.

View solution in original post

Reply
Solved! Jump to solution

chimell
Motivator
‎06-17-2015 12:55 AM

Hi SasiB137
Make sure that TIMEOUT_VAL field is present in the list of your field and that it is a numeric field

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-16-2015 09:48 PM

First, the file name is transforms.conf not transformers.conf, but that is probably just a typo.

Second, you are showing what is in the CSV file, but what is in the search results? The lookup command expects that your search results will include a field named TIMEOUT that can be used in the lookup. if the search results do not contain this field, then you will always get a result of 18000.

If your search results return a field with a different name, then you can use

| lookup users_timeout_value_lookup TIMEOUT as yourfieldname OUTPUT TIMEOUT_VAL

to tell Splunk which field to match against the TIMEOUT field of the CSV file.

Reply
Solved! Jump to solution

SasiB137
Engager
‎06-17-2015 03:35 AM

this works :
...| eval TIMEOUT="default_timeout" | lookup users_timeout_value_lookup TIMEOUT OUTPUT TIMEOUT_VAL | eval TIMEOUT_VALUE=if(isnull(TIMEOUT_VAL),18000,TIMEOUT_VAL*60) | table TIMEOUT_VALUE

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-16-2015 08:05 PM

What do you get from ... | table TIMEOUT TIMEOUT_VAL TIMEOUT_VALUE ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

SasiB137
Engager
‎06-17-2015 09:22 AM

null null 1800

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...