Splunk Search

Lookups with extracted fields not working- Why can't I see the active or group fields in events?

mark_cet
Path Finder

I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.

 

I have a lookup CSV table (team_info) that looks like this:

team_id,active,group
team_a,1,team a ops
team_b,0,team b marketing
team_c,1,team c netops

 

My search is extracting field using regex:

 

index="sys_alerts"
| rex field="Message" "...<teamID>..."
| eval app="Application A"
| lookup team_info team_id as teamID OUTPUT active as active, group as group

 

When I run the search the teamID is being extracted successfully but I do not see the active or group fields in the events.

 

What am I doing wrong or missing?

 

Thanks in advance.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Make sure the teamID field value exactly matches a value in the team_id column of the lookup table.  Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.

| eval teamID = lower(teamID)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure the teamID field value exactly matches a value in the team_id column of the lookup table.  Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.

| eval teamID = lower(teamID)
---
If this reply helps you, Karma would be appreciated.
0 Karma

mark_cet
Path Finder

Thanks richgalloway. Aside from some of the entries not matching the same case there was also a space included in the teamID extractions.

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...