Splunk Search

Lookup table does not append value to event

samlinsongguo
Communicator

I have a lookup table as below
User IsMember
user1 Yes
user2 Yes
user3 No

I save the table as memberlist.csv save as type is CSV(comma delimited)(*.csv)
I import the table and define the lookup (lookupA) as Splunk doc described in the web GUI
Then I run following search

index=A | lookup lookupA User OUTPUT IsMemeber

I expect the commend will add an IsMember value into the event right? but I could not find the field.

Any suggestions abot where I am doing it wrong?

Cheers
Sam

Tags (1)
0 Karma
1 Solution

samlinsongguo
Communicator

I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help

View solution in original post

0 Karma

samlinsongguo
Communicator

I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help

0 Karma

woodcock
Esteemed Legend

You can make the matching case-insensitive but you need the CLI to add case_sensitive_match = false to transforms.conf.

Don't forget to up-vote helpful answers.

0 Karma

woodcock
Esteemed Legend

You are using spaces to delimit the field values in your lookup, but you need to be using commas. Change that and it will work just fine.

0 Karma

samlinsongguo
Communicator

I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event

userN,isMbr
a,Yes
b,Yes

any ideas where the problem is?

0 Karma

samlinsongguo
Communicator

the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi Sam,

Have you shared your lookup definition with apps? If not, please follow the steps described in the documentation below and try again:

http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

Hope this helps. Thanks!
Hunter

0 Karma

samlinsongguo
Communicator

yes I did, I put all as global for both file and definition

0 Karma

aakwah
Builder

Hello,

For csv lookups I create the files with a text editor or via a script to have a text file at the end, then the contents of memberlist.csv file will be like that:

User,IsMember
user1,Yes
user2,Yes
user3,No

Regards

0 Karma

samlinsongguo
Communicator

the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?

0 Karma

samlinsongguo
Communicator

I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event

userN,isMbr
a,Yes
b,Yes

any ideas where the problem is?

0 Karma

aakwah
Builder

Good news that the issue is solved !

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...