Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using extracted fields in automatic lookups

joshua_hart
Explorer
‎08-12-2013 09:40 AM

I have a series of fields I've extracted using the GUI for a particular sourcetype. I've also set up a lookup table, definition, and automatic lookup using one of those fields. The automatic lookup is supposed to add a field from the lookup table. However, I cannot get it to work with fields that have been extracted using the GUI. Is there something I'm missing? Automatic lookups work just fine on sourcetypes with fields that have been automatically extracted (ie, they arrive at Splunk as "key=value" pairs and require no additional extraction).

Any hints?

0 Karma
Reply

davecroto
Splunk Employee
Splunk Employee
‎08-12-2013 10:19 AM

First add an entry in $SPLUNK_HOME/etc/systems/local/transforms.conf:

[alookupexample]
filename=mycsvfile.csv

Then either restart splund or do a | extract reload=t then run a search like the one below:

somesearch | lookup alookupexample <oneofthefieldsyouextractedviagui> OUTPUT <oneofthefieldsinthelookup)in_the_lookup>

oneofthefieldsyouextractedviagui above needs to be the first column of the csv lookup

make sure you are looking at all the interesting fields on the right (blue) of the screen

After you've confirmed that that works put in the correct stanza inside of the props.conf file.

Reply

joshua_hart1
Path Finder
‎08-13-2013 10:35 AM

So, I ran the search manually with the lookup and I was able to match fields in the search with fields in the lookup, but the OUTPUT field was not...output. No dice. But, thanks.

0 Karma
Reply

lukejadamec
Super Champion
‎08-12-2013 09:54 AM

search | extract | lookup

0 Karma
Reply

lukejadamec
Super Champion
‎08-12-2013 09:53 AM

Have you tested the lookup by applying it manually after a search that extracts the fields?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...