Solved: Re: Lookup table does not append value to event

samlinsongguo · ‎05-18-2017

I have a lookup table as below
User IsMember
user1 Yes
user2 Yes
user3 No

I save the table as memberlist.csv save as type is CSV(comma delimited)(*.csv)
I import the table and define the lookup (lookupA) as Splunk doc described in the web GUI
Then I run following search

index=A | lookup lookupA User OUTPUT IsMemeber

I expect the commend will add an IsMember value into the event right? but I could not find the field.

Any suggestions abot where I am doing it wrong?

Cheers
Sam

samlinsongguo · ‎05-21-2017

I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help

View solution in original post

samlinsongguo · ‎05-21-2017

I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help

woodcock · ‎05-22-2017

You can make the matching case-insensitive but you need the CLI to add case_sensitive_match = false to transforms.conf.

Don't forget to up-vote helpful answers.

woodcock · ‎05-19-2017

You are using spaces to delimit the field values in your lookup, but you need to be using commas. Change that and it will work just fine.

samlinsongguo · ‎05-21-2017

I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event

userN,isMbr
a,Yes
b,Yes

any ideas where the problem is?

samlinsongguo · ‎05-21-2017

the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?

hunters_splunk · ‎05-18-2017

Hi Sam,

Have you shared your lookup definition with apps? If not, please follow the steps described in the documentation below and try again:

http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

Hope this helps. Thanks!
Hunter

samlinsongguo · ‎05-21-2017

yes I did, I put all as global for both file and definition

aakwah · ‎05-18-2017

Hello,

For csv lookups I create the files with a text editor or via a script to have a text file at the end, then the contents of memberlist.csv file will be like that:

User,IsMember
user1,Yes
user2,Yes
user3,No

Regards

samlinsongguo · ‎05-21-2017

the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?

samlinsongguo · ‎05-21-2017

I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event

userN,isMbr
a,Yes
b,Yes

any ideas where the problem is?

aakwah · ‎05-22-2017

Good news that the issue is solved !

Lookup table does not append value to event

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)