Splunk Search
Highlighted

Why doesn't the Automatic lookup work?

New Member

I have a new lookup setup I want to query against it .presently its not working may I know what I have to do in order to get it setup for auto lookup.

thanks

0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

New Member

I read that ,I created four columns for my csv ..and did props and transforms.conf and I want the lookup to be automatically lookup for a field .

but when I do the query in the search I don't get any statistics. why is it ?.

0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

SplunkTrust
SplunkTrust

I've left my crystal ball in storage, sorry - you will need to post more details about what you're doing. For example, post the props.conf and transforms.conf entries you've made. Post what apps you've placed them in, what permissions you've given them, what app you're searching from, what user/role combo you're searching from, etc.

0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

New Member

props.
[smptsmaccesslog]
LOOKUP-pn
ipenv = pnipenv ip AS ip OUTPUTNEW inbound AS pninbound pn AS pnname variety AS pnvariety

transforms-
[pnipenv]

filename = pnipenv.csv

csv file has four columns-
ip, inbound,pn,variety.

0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

SplunkTrust
SplunkTrust

does the sourcetype smptsm_accesslog have matching ip values?

0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

SplunkTrust
SplunkTrust

1) Try manually checking the data

| inputlookup mylookup.csv

that should tell you if it's there.

2) Try manually testing a lookup. Assuming the name of the lookup field is foo, and one record in the lookup the field foo has a value of "bar", and there is another column named baz.

| makeresults 
| eval foo = "bar"
| lookup mylookup.csv foo OUTPUT baz 

If both of those work, then you have probably set up the lookup itself incorrectly. If one of them fails, then either the definition is wrong, the lookup name is wrong, or the data is wrong.

View solution in original post

0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

New Member

how do I check auto lookup is working ?.

0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

Explorer

@DalJeanis when you say "If both of those work, then you have probably set up the lookup itself incorrectly." did you mean you have set up the look correctly? Both of my query work.

| inputlookup q-compliance_system_asset_mapping  (working)


| eval foo = "bar" | lookup q-compliance_system_asset_mapping dns AS dest OUTPUT system AS system  (working)

But, it's not working on pivot. do you have any suggestion on how to troubleshoot?

0 Karma
Highlighted

Re: Why doesn't the Automatic lookup work?

Esteemed Legend

Assuming that your event data's field name is foo and the matching lookup field name is bar:

1: Use "|inputlookup YourLookupFileNameHere.csv" to see if your file is searchable from your user/app context.
2: Use "|inputlookup YourLookupFileNameHere.csv | where bar=*" to see if your file has the right field name.
3: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo" to see if your data is searchable from your user/app context.
4: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=*" to see if your data has the right field name.
5: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=* | lookup YourLookupFileNameHere.csv | where bar=*" to test that all this works together.
6: CLONE your existing automatic lookup definition and make sure that, if you are using a sourcetype-based stanza, that the sourcetype listed is *exactly* the "AndSourcetypToo" of your event data.  Upper/lower-case matters.  Why did I have you clone it?  Because that is the only practical way to see if you have accidental whitespace at the beginning or end of your sourcetype string, as can easily happen when doing cut/paste.  You can see it when you clone but not by looking at it on the screen any other practical way (Yes, you could use a "|rest" call but this is way quicker/easier).  I suspect that this is your problem.
0 Karma