Splunk Search

Why does my lookup not run?

borgy95
Path Finder

I am writing a query to lookup processed web domains against a lookup list.

I have defined a lookup named ss3url_lookup, with supported fields named "masktype", "maskid" and "kap_tld". "kap_tld" is used in this case as the input field and is a field extraction I have written, containing a sanitised domain name - the other two are intended to be output fields only and do not exist prior to the lookup.

When running my lookup with the following query, the progress is stalled at the lookup - the query runs as far as the lookup, but no results are ever returned and the query eventually times out:

sourcetype="access_combined_wcookie" | dedup kap_tld | lookup ss3url_lookup kap_tld | table kap_tld, masktype, maskid

I have verified that the kap_tld field exists and contains all values as expected, going into the lookup. But I cannot work out why the lookup stalls as it does.

Does anybody have experience of lookups not running, or know in what circumstances a lookup will stall in this way? If there is any more information I can provide, I'll be happy to do so.

Tags (1)
0 Karma
1 Solution

borgy95
Path Finder

We found out what i was in the end, a few 100000 lines in someurls with commas appear. After this point splunk was unable to continue running through the lookup since it sees the extra commas as a delimiter!

View solution in original post

borgy95
Path Finder

We found out what i was in the end, a few 100000 lines in someurls with commas appear. After this point splunk was unable to continue running through the lookup since it sees the extra commas as a delimiter!

woodcock
Esteemed Legend

I should have thought of that (it has happened to me). You should "Accept" your answer to close the question.

0 Karma

woodcock
Esteemed Legend

What error are you getting? If you are not getting any error then the problem is that your lookup table does not contain any matches for the fields you are specifying (which may mean that you are not specifying the field names on the outside*exactly* the same as in the lookup file including upper/lower-casing). If you are getting an error, what is the error text?

0 Karma

vganjare
Builder

Hi,

Can you using syntax as mentioned below:

sourcetype=access_* | stats count by status | lookup status_desc status OUTPUT description

Here, the command usage is like

lookup [local=<bool>] [update=<bool>] <lookup-table-name> ( <lookup-field> [AS <event-field>] ) [( OUTPUT | OUTPUTNEW <lookup-destfield> [AS <event-destfield>] )]

You can get more details @ http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Lookup

Thanks!!

0 Karma

borgy95
Path Finder

@vganjare, thanks for your answer, but this does not work either.

sourcetype="access_combined_wcookie" | dedup kap_tld | lookup ss3url_lookup kap_tld OUTPUT masktype, maskid| table kap_tld, masktype, maskid
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...