Hi team,
I already worked with the lookup feature of splunk, tables, definitions and automatic lookup, and is working correctly even though I create a script to use the inputlook command to automatically update the lookup table when it is needed.
The csv file of the lookup table have the following structure:
appid,appName
APP01729-af-ws.service,APP01729
APP01729-af-sch.service,APP01729
APP01729-af-wkr.service,APP01729
The idea with this lookup is to match the appid with one of the attributes that splunk have from a seach and then add the value of appName in the result of that search, for example:
That behavior is working with the values above, but when I try to create another lookup table and his definition with different values but matching the same attributes in splunk is not creating the new attribute in the search. I test that with this search:
index=main_dev ...
| spath systemd_unit
| search systemd_unit="*container*"
| lookup appids_lookup appid as systemd_unit OUTPUTNEW appName
Here the systemd_unit that try to match is everything that have 'container' in his name and then create a new attribute called appName with the value corresponding to the value of appName in the lookup table
That doesn't work because the search for container and the corresponding lookup value in the lookup table is new.
But the old values of the lookup table, I mean old values with values from other lookup tables that I use in the new lookup table it works correctly, creating the new attribute in the seach.
My problem is do I need something else to do more than creating the lookup table, definition to make this works for new values?
Hi @gustavoortega have you tried finding the new lookup table with | inputlookup command?
Can you share the new lookup table contents and does your search events having field/value that matches with lookup field?
When you created new lookup what is the scope of app? are you running the query in same app or outside?
what is the new search query that you have used?
Hi, @venkatasri Yes the command and the output of the | inputlookup is the next:
This is the lookup table and the search to generate it
Yes, I'm running the lookup in the same scope and in the same app
This is the lookup definition
And this is the lookup table
And this is the new search that I'm using
As you can see I try t match the values of appid in the lookup table to systemd_unit in the search, and the values are matching for containerd.service but the new value that should show in appName doesn't show
But if I change the search a little to include another value, not just containerd it works correctly, but only shows the other value.
I think this other value is correctly retrieved because is a value that exists for the other lookups that works correctly