I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.
I have a lookup CSV table (team_info) that looks like this:
team_id,active,group
team_a,1,team a ops
team_b,0,team b marketing
team_c,1,team c netops
My search is extracting field using regex:
index="sys_alerts"
| rex field="Message" "...<teamID>..."
| eval app="Application A"
| lookup team_info team_id as teamID OUTPUT active as active, group as group
When I run the search the teamID is being extracted successfully but I do not see the active or group fields in the events.
What am I doing wrong or missing?
Thanks in advance.
Make sure the teamID field value exactly matches a value in the team_id column of the lookup table. Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.
| eval teamID = lower(teamID)
Make sure the teamID field value exactly matches a value in the team_id column of the lookup table. Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.
| eval teamID = lower(teamID)
Thanks richgalloway. Aside from some of the entries not matching the same case there was also a space included in the teamID extractions.