Solved: Lookup table does not append value to event

samlinsongguo · ‎05-18-2017

I have a lookup table as below
User IsMember
user1 Yes
user2 Yes
user3 No

I save the table as memberlist.csv save as type is CSV(comma delimited)(*.csv)
I import the table and define the lookup (lookupA) as Splunk doc described in the web GUI
Then I run following search

index=A | lookup lookupA User OUTPUT IsMemeber

I expect the commend will add an IsMember value into the event right? but I could not find the field.

Any suggestions abot where I am doing it wrong?

Cheers
Sam

samlinsongguo · ‎05-21-2017

I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help

View solution in original post

samlinsongguo · ‎05-21-2017

I found what is the problem
1 as previous mentioned csv file format need to be commas separated.
2 Lookup table basic the search field need to match a field in the event and it is case sensitive, otherwise I need to define which field to match
index=x eventField=* | lookup lookupName lookupTableSearchField AS eventField
that will do the trick
Thank you for all the help

woodcock · ‎05-22-2017

You can make the matching case-insensitive but you need the CLI to add case_sensitive_match = false to transforms.conf.

Don't forget to up-vote helpful answers.

woodcock · ‎05-19-2017

You are using spaces to delimit the field values in your lookup, but you need to be using commas. Change that and it will work just fine.

samlinsongguo · ‎05-21-2017

I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event

userN,isMbr
a,Yes
b,Yes

any ideas where the problem is?

samlinsongguo · ‎05-21-2017

the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?

hunters_splunk · ‎05-18-2017

Hi Sam,

Have you shared your lookup definition with apps? If not, please follow the steps described in the documentation below and try again:

http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Usefieldlookupstoaddinformationtoyoureve...

Hope this helps. Thanks!
Hunter

samlinsongguo · ‎05-21-2017

yes I did, I put all as global for both file and definition

aakwah · ‎05-18-2017

Hello,

For csv lookups I create the files with a text editor or via a script to have a text file at the end, then the contents of memberlist.csv file will be like that:

User,IsMember
user1,Yes
user2,Yes
user3,No

Regards

samlinsongguo · ‎05-21-2017

the search I am doing is index=x| lookup test userN OUTPUT isMbr is this right?

samlinsongguo · ‎05-21-2017

I have replaced spaces to to commas but still can not see the new field added into each event. What I did was open the .csv file in notepad and replace the spaces between user and IsMember field and save it. and i also tried create .csv file in notepad from start like below but still cant see appended field in each event

userN,isMbr
a,Yes
b,Yes

any ideas where the problem is?

aakwah · ‎05-22-2017

Good news that the issue is solved !

Lookup table does not append value to event

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation