- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup table as below
User IsMember
user1 Yes
user2 Yes
user3 No
I save the table as memberlist.csv save as type is CSV(comma delimited)(*.csv)
I import the table and define the lookup (lookupA) as Splunk doc described in the web GUI
Then I run following search
index=A | lookup lookupA User OUTPUT IsMemeber
I expect the commend will add an IsMember value into the event right? but I could not find the field.
Any suggestions abot where I am doing it wrong?
Cheers
Sam
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![woodcock woodcock](https://community.splunk.com/legacyfs/online/avatars/1493.jpg)
You can make the matching case-insensitive but you need the CLI to add case_sensitive_match = false
to transforms.conf
.
Don't forget to up-vote helpful answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![woodcock woodcock](https://community.splunk.com/legacyfs/online/avatars/1493.jpg)
You are using spaces
to delimit the field values in your lookup, but you need to be using commas
. Change that and it will work just fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event
userN,isMbr
a,Yes
b,Yes
any ideas where the problem is?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![hunters_splunk hunters_splunk](https://community.splunk.com/legacyfs/online/avatars/408221.jpg)
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
Hi Sam,
Have you shared your lookup definition with apps? If not, please follow the steps described in the documentation below and try again:
Hope this helps. Thanks!
Hunter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes I did, I put all as global for both file and definition
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![aakwah aakwah](https://community.splunk.com/legacyfs/online/avatars/189859.jpg)
Hello,
For csv lookups I create the files with a text editor or via a script to have a text file at the end, then the contents of memberlist.csv file will be like that:
User,IsMember
user1,Yes
user2,Yes
user3,No
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event
userN,isMbr
a,Yes
b,Yes
any ideas where the problem is?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![aakwah aakwah](https://community.splunk.com/legacyfs/online/avatars/189859.jpg)
Good news that the issue is solved !
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)