Solved: Lookups with extracted fields not working- Why can...

mark_cet · ‎09-13-2022

I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.

I have a lookup CSV table (team_info) that looks like this:

team_id,active,group
team_a,1,team a ops
team_b,0,team b marketing
team_c,1,team c netops

My search is extracting field using regex:

index="sys_alerts"
| rex field="Message" "...<teamID>..."
| eval app="Application A"
| lookup team_info team_id as teamID OUTPUT active as active, group as group

When I run the search the teamID is being extracted successfully but I do not see the active or group fields in the events.

What am I doing wrong or missing?

Thanks in advance.

richgalloway · ‎09-13-2022

Make sure the teamID field value exactly matches a value in the team_id column of the lookup table. Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.

| eval teamID = lower(teamID)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-13-2022

Make sure the teamID field value exactly matches a value in the team_id column of the lookup table. Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.

| eval teamID = lower(teamID)

---
If this reply helps you, Karma would be appreciated.

mark_cet · ‎09-14-2022

Thanks richgalloway. Aside from some of the entries not matching the same case there was also a space included in the teamID extractions.

Lookups with extracted fields not working- Why can't I see the active or group fields in events?

lookup

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes