Splunk Search

Lookup table does not append value to event

samlinsongguo
Communicator

I have a lookup table as below
User IsMember
user1 Yes
user2 Yes
user3 No

I save the table as memberlist.csv save as type is CSV(comma delimited)(*.csv)
I import the table and define the lookup (lookupA) as Splunk doc described in the web GUI
Then I run following search

index=A | lookup lookupA User OUTPUT IsMemeber

I expect the commend will add an IsMember value into the event right? but I could not find the field.

Any suggestions abot where I am doing it wrong?

Cheers
Sam

Tags (1)
0 Karma
1 Solution

samlinsongguo
Communicator

I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help

View solution in original post

0 Karma

samlinsongguo
Communicator

I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help

0 Karma

woodcock
Esteemed Legend

You can make the matching case-insensitive but you need the CLI to add case_sensitive_match = false to transforms.conf.

Don't forget to up-vote helpful answers.

0 Karma

woodcock
Esteemed Legend

You are using spaces to delimit the field values in your lookup, but you need to be using commas. Change that and it will work just fine.

0 Karma

samlinsongguo
Communicator

I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event

userN,isMbr
a,Yes
b,Yes

any ideas where the problem is?

0 Karma

samlinsongguo
Communicator

the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi Sam,

Have you shared your lookup definition with apps? If not, please follow the steps described in the documentation below and try again:

http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

Hope this helps. Thanks!
Hunter

0 Karma

samlinsongguo
Communicator

yes I did, I put all as global for both file and definition

0 Karma

aakwah
Builder

Hello,

For csv lookups I create the files with a text editor or via a script to have a text file at the end, then the contents of memberlist.csv file will be like that:

User,IsMember
user1,Yes
user2,Yes
user3,No

Regards

0 Karma

samlinsongguo
Communicator

the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?

0 Karma

samlinsongguo
Communicator

I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event

userN,isMbr
a,Yes
b,Yes

any ideas where the problem is?

0 Karma

aakwah
Builder

Good news that the issue is solved !

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...