Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Refining the search through lookup

macadminrohit
Contributor
‎04-10-2017 01:40 PM

Hi,

Below is the search I am running on a set of servers in the lookup file , I don't want to run the search on all the hosts resulting from my main search that's why I am using the sub search (using inputlookup)

index=cohl host=mdc* [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host] | where count==0 | table sourcetype host

But when I run the search I see the error :

Regex: invalid UTF-8 string

Can the experts let me know how to get rid of this error?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-22-2017 03:42 PM

What does this do:

| inputlookup COHL_Sourcetype

Does the above give you the error, too? If so, you definitely need to clean the file.

Also, the search definitely is broken even beyond this error. At a minimum, this | stats count by sourcetype host should be stats count by sourcetype host | table sourcetype host or maybe stats count by sourcetype host | table sourcetype or maybe stats count by sourcetype host | table host.

0 Karma
Reply

lguinn2
Legend
‎04-12-2017 12:34 AM

Splunk expects the lookup files to be in the UTF-8 character set, with normal line endings (Linux or Windows).
Here are the specific requirements from the Configure CSV lookups section of the Knowledge Manager manual. The file must also be in proper CSV format.

Many text editors can find and "zap" weird characters and clean up the line endings in a file. I think Notepad++ may do this, as will BBEdit and others.

0 Karma
Reply

DalJeanis
Legend
‎04-10-2017 03:16 PM

Have you verified there are no weird characters in your inputlookup table?

0 Karma
Reply

macadminrohit
Contributor
‎04-11-2017 09:19 AM

No I don't see anything weird in the lookup file. Any way I can remove those characters if any?

0 Karma
Reply

somesoni2
Revered Legend
‎04-10-2017 01:48 PM

Do you only want to run your search for host,sourcetype combination in subsearch where the value of field count in the subsearch is greater than 0? If yes then, you should include the where clause inside subsearch. Also, add a table command at the end of subsearch to only return the fields that you want to pass (and which are available in ) in base search.

index=cohl  [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count=0 | table sourcetype host]
0 Karma
Reply

macadminrohit
Contributor
‎04-10-2017 02:37 PM

I tried your query but it doesn't work , to test it I placed 'where count >=0' , but it again gave me that error .

index=cohl host=mdc* [ | inputlookup COHL_Sourcetype | eval count=0 | stats count by sourcetype host | where count ==0 | table sourcetype host]

The above query doesn't return anything.

0 Karma
Reply

somesoni2
Revered Legend
‎04-10-2017 02:41 PM

Try this

index=cohl  [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format ]

OR

index=cohl  [ | inputlookup COHL_Sourcetype | stats count by sourcetype host | where count=0 | table sourcetype host | format  "" "" "" "" "" ""]
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...