Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookups with extracted fields not working- Why can't I see the active or group fields in events?

mark_cet
Path Finder
‎09-13-2022 05:58 AM

I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.

 

I have a lookup CSV table (team_info) that looks like this:

team_id,active,group
team_a,1,team a ops
team_b,0,team b marketing
team_c,1,team c netops

 

My search is extracting field using regex:

 

index="sys_alerts"
| rex field="Message" "...<teamID>..."
| eval app="Application A"
| lookup team_info team_id as teamID OUTPUT active as active, group as group

 

When I run the search the teamID is being extracted successfully but I do not see the active or group fields in the events.

 

What am I doing wrong or missing?

 

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2022 06:15 AM

Make sure the teamID field value exactly matches a value in the team_id column of the lookup table.  Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.

| eval teamID = lower(teamID)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2022 06:15 AM

Make sure the teamID field value exactly matches a value in the team_id column of the lookup table.  Use the lower() function to shift case or create a lookup definition with the "case sensitive" advanced option turned off.

| eval teamID = lower(teamID)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mark_cet
Path Finder
‎09-14-2022 06:30 AM

Thanks richgalloway. Aside from some of the entries not matching the same case there was also a space included in the teamID extractions.

 

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...