Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Problems w/ basic lookup table.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems w/ basic lookup table.
added the table files & definitions w/ just defaults.
command is
sourcetype="hitachi_poolinfo" host="*0695*" %
| rex
"\s+(?<lun_number>\d+)\s+(?<lun_capacity>\d+\.\d+)\s+(?<scale>(TB|GB))\s+(?<percent_consumed>\d+%)"
| lookup 87040695 lunnumber as lun_number OUTPUT DriveType as TIER
Lookup table looks as per below
| inputlookup 87040695.csv
Capacity DP Pool DriveType Grouping PathCount Port RAIDLevel Server lunnumber
1 17 0 SATA CAESDB 1 0E RAID5(10D+1P) 000:DB2 0
2 3 5 SATA CAESDB 1 0E RAID1+0(4D+4D) 000:DB3 1
3 4 7 SAS CAESDB 1 0E RAID5(8D+1P) 000:DB4 11
error is - Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
I've copy/pasted the lookup headers from the inputlookup. I've re-arranged columns.
I've tried to pull out different columns, taken out spaces in the header info. Cant seemto get it to work. WHen I look at the DOC page in Splunk.com for lookups.. It seems identical.
Splunk really doesnt mention what its not finding. lunnumber is there..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What did you name the lookup? I can see that the csv file is named "87040695.csv", but what is the name of the lookup definition that you created?
I would recommend that names in Splunk should start with a letter and contain only letters, numbers and underscores. Although that isn't required everywhere, it is a good habit.
I assume that the actual file is in CSV format, with commas and enclosing quotation marks as appropriate. Have you checked to make sure that the line endings are Linux (" \n ")?
That's a common problem. See the docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My guess is that there was something in one of those columns that caused Splunk to choke. Perhaps you should surround the text in those columns with quotation marks and try again.
Excel is particularly bad about removing quotation marks, when the marks should remain - so I never edit my csv files with Excel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a column MAX? I removed a couple columns & now it works.. Puzzling.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a windows install but when I first created the CSV it wouldnt take it- thought it was Binary until I used notepad++ to convert EOL to Unix format.
The fact that when I pipe in the command
inputlookup 87040695.csv
or
inputlookup 87040695
it pulls the right info seems like it is taking the file correctly right? would that rule out issues w/ formatting or no? I'll go back, recreate it to start w/ letters & see if there is any change.
The commands are correct right? It should work IMO 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
