Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookups with extracted fields not working- Why can't I see the active or group fields in events?

mark_cet
Path Finder
‎09-13-2022 05:58 AM

I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.

 

I have a lookup CSV table (team_info) that looks like this:

team_id,active,group
team_a,1,team a ops
team_b,0,team b marketing
team_c,1,team c netops

 

My search is extracting field using regex:

 

index="sys_alerts"
| rex field="Message" "...<teamID>..."
| eval app="Application A"
| lookup team_info team_id as teamID OUTPUT active as active, group as group

 

When I run the search the teamID is being extracted successfully but I do not see the active or group fields in the events.

 

What am I doing wrong or missing?

 

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2022 06:15 AM

Make sure the teamID field value exactly matches a value in the team_id column of the lookup table.  Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.

| eval teamID = lower(teamID)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2022 06:15 AM

Make sure the teamID field value exactly matches a value in the team_id column of the lookup table.  Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.

| eval teamID = lower(teamID)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mark_cet
Path Finder
‎09-14-2022 06:30 AM

Thanks richgalloway. Aside from some of the entries not matching the same case there was also a space included in the teamID extractions.

 

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...