I have a new lookup setup I want to query against it .presently its not working may I know what I have to do in order to get it setup for auto lookup.
thanks
1) Try manually checking the data
| inputlookup mylookup.csv
that should tell you if it's there.
2) Try manually testing a lookup. Assuming the name of the lookup field is foo
, and one record in the lookup the field foo
has a value of "bar", and there is another column named baz
.
| makeresults
| eval foo = "bar"
| lookup mylookup.csv foo OUTPUT baz
If both of those work, then you have probably set up the lookup itself incorrectly. If one of them fails, then either the definition is wrong, the lookup name is wrong, or the data is wrong.
Assuming that your event data's field name is foo
and the matching lookup field name is bar
:
1: Use "|inputlookup YourLookupFileNameHere.csv" to see if your file is searchable from your user/app context.
2: Use "|inputlookup YourLookupFileNameHere.csv | where bar=*" to see if your file has the right field name.
3: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo" to see if your data is searchable from your user/app context.
4: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=*" to see if your data has the right field name.
5: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=* | lookup YourLookupFileNameHere.csv | where bar=*" to test that all this works together.
6: CLONE your existing automatic lookup definition and make sure that, if you are using a sourcetype-based stanza, that the sourcetype listed is *exactly* the "AndSourcetypToo" of your event data. Upper/lower-case matters. Why did I have you clone it? Because that is the only practical way to see if you have accidental whitespace at the beginning or end of your sourcetype string, as can easily happen when doing cut/paste. You can see it when you clone but not by looking at it on the screen any other practical way (Yes, you could use a "|rest" call but this is way quicker/easier). I suspect that this is your problem.
| inputlookup mylookup.csv. (works)
index=xyz | inputlookup mylookup.csv. ( doesn't work. )
There are 2 lookup-ish
commands: inputlookup
and lookup
. You are confusing the two. Read my post again.
1) Try manually checking the data
| inputlookup mylookup.csv
that should tell you if it's there.
2) Try manually testing a lookup. Assuming the name of the lookup field is foo
, and one record in the lookup the field foo
has a value of "bar", and there is another column named baz
.
| makeresults
| eval foo = "bar"
| lookup mylookup.csv foo OUTPUT baz
If both of those work, then you have probably set up the lookup itself incorrectly. If one of them fails, then either the definition is wrong, the lookup name is wrong, or the data is wrong.
There is actually one more possible issue - when using a remote Indexer. You need to enable replication of KVStore lookups by added to <app>/local/collections.conf:
[<automatic_lookup_name>_kvstore]
replicate = true
@DalJeanis when you say "If both of those work, then you have probably set up the lookup itself incorrectly." did you mean you have set up the look correctly? Both of my query work.
| inputlookup q-compliance_system_asset_mapping (working)
| eval foo = "bar" | lookup q-compliance_system_asset_mapping dns AS dest OUTPUT system AS system (working)
But, it's not working on pivot. do you have any suggestion on how to troubleshoot?
how do I check auto lookup is working ?.
This covers what to do in oder to setup automatic lookups: http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/DefineanautomaticlookupinSplunkWeb
does the sourcetype smptsm_accesslog
have matching ip
values?
I've left my crystal ball in storage, sorry - you will need to post more details about what you're doing. For example, post the props.conf and transforms.conf entries you've made. Post what apps you've placed them in, what permissions you've given them, what app you're searching from, what user/role combo you're searching from, etc.
props.
[smptsm_accesslog]
LOOKUP-pn_ip_env = pn_ip_env ip AS ip OUTPUTNEW inbound AS pn_inbound pn AS pn_name variety AS pn_variety
transforms-
[pn_ip_env]
csv file has four columns-
ip, inbound,pn,variety.
I read that ,I created four columns for my csv ..and did props and transforms.conf and I want the lookup to be automatically lookup for a field .
but when I do the query in the search I don't get any statistics. why is it ?.