Splunk Search

New lookup is not working

gustavoortega
New Member

Hi team,

I already worked with the lookup feature of splunk, tables, definitions and automatic lookup, and is working correctly even though I create a script to use the inputlook command to automatically update the lookup table when it is needed.

The csv file of the lookup table have the following structure:

 

 

appid,appName
APP01729-af-ws.service,APP01729
APP01729-af-sch.service,APP01729
APP01729-af-wkr.service,APP01729

 

 

The idea with this lookup is to match the appid with one of the attributes that splunk have from a seach and then add the value of appName in the result of that search, for example:

  • appid will match the values of systemd_unit 
  • with that match in that search will add the attribute appname with the value of appName of the lookup table 

That behavior is working with the values above, but when I try to create another lookup table and his definition with different values but matching the same attributes in splunk is not creating the new attribute in the search. I test that with this search:

 

 

index=main_dev ...  
| spath systemd_unit 
| search systemd_unit="*container*"
| lookup appids_lookup appid as systemd_unit OUTPUTNEW appName

 

 

Here the systemd_unit that try to match is everything that have 'container' in his name and then create a new attribute called appName with the value corresponding to the value of appName in the lookup table

That doesn't work because the search for container and the corresponding lookup value in the lookup table is new.

But the old values of the lookup table, I mean old values with values from other lookup tables that I use in the new lookup table it works correctly, creating the new attribute in the seach.

My problem is do I need something else to do more than creating the lookup table, definition to make this works for new values?

Labels (3)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @gustavoortega  have you tried finding the new lookup table with | inputlookup command?

Can you share the new lookup table contents and does your search events having field/value that matches with lookup field?  

When you created new lookup what is the scope of app? are you running the query in same app or outside?

what is the new search query that you have used?

 

0 Karma

gustavoortega
New Member

Hi, @venkatasri  Yes the command and the output of the | inputlookup is the next:

gustavoortega_0-1625664287965.png

This is the lookup table and the search to generate it

gustavoortega_1-1625664373986.png

 

Yes, I'm running the lookup in the same scope and in the same app
This is the lookup definition 

gustavoortega_2-1625664422655.png


And this is the lookup table 

gustavoortega_3-1625664484178.png


And this is the new search that I'm using

gustavoortega_4-1625664609347.png


As you can see I try t match the values of appid in the lookup table to systemd_unit in the search, and the values are matching for containerd.service but the new value that should show in appName doesn't show

But if I change the search a little to include another value, not just containerd it works correctly, but only shows the other value. 

gustavoortega_5-1625664828425.png

I think this other value is correctly retrieved because is a value that exists for the other lookups that works correctly

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...