- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup table challenges
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup table challenges
Tried experimenting with the Http Status codes example in the documentation for lookup tables. This is the error.
Could not find the specified look up fields in the look up table for conf, source=mine look up table HttpStatusCodes
Any assistance or reference material would be appreciated.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Voltaire,
It would be nicer if you could paste your config and lookup table, and some information which page you are reffering to.
Well, the information you are looking for is the following, there is a sample lookup table for http status, and how it needs to be configured.
Addfieldsfromexternaldatasources
But I guess you have already configured your lookup table.
Try to run the following inputlookup command to see if your lookup table is configured and accessible from Splunk.
| inputlookup YOUR_LOOKUP_TABLE_NAME
and see the field name you looked up exists and the lookup command you ran properly set.
for example, if input fieldname in your data and column name in lookup table are different, you need to associate the fieldname and colunmane using as in your lookup command like this:
... | lookup http_status status_code_in_lookup as status_code_fieldname OUTPUT status_description
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you manually configure lookup, then you will need entry for your lookup csv files. However, because you are seeing the content of your lookup files by inputlookup, it tells your lookup table is accessible and usable. I guess there is something wrong with your lookup command or option when you run lookup.
It may help if you could paste your search here with some quick description of the fields in your data and column in your lookup table 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can successfully list the contents of the lookup table with the input lookup command. However I can not see the fields output. I will reread the "Addfieldsfromexternaldatasources" and start over. I did notice that there was no props.conf in the /usr/local/splunk/etc/apps/maps/local directory. Do I need a corresponding props.conf for each lookup table?
Thank you !,
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
