Splunk Search

Why doesn't the Automatic lookup work?

rajneeshc1981
Explorer

I have a new lookup setup I want to query against it .presently its not working may I know what I have to do in order to get it setup for auto lookup.

thanks

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

1) Try manually checking the data

| inputlookup mylookup.csv

that should tell you if it's there.

2) Try manually testing a lookup. Assuming the name of the lookup field is foo, and one record in the lookup the field foo has a value of "bar", and there is another column named baz.

| makeresults 
| eval foo = "bar"
| lookup mylookup.csv foo OUTPUT baz 

If both of those work, then you have probably set up the lookup itself incorrectly. If one of them fails, then either the definition is wrong, the lookup name is wrong, or the data is wrong.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Assuming that your event data's field name is foo and the matching lookup field name is bar:

1: Use "|inputlookup YourLookupFileNameHere.csv" to see if your file is searchable from your user/app context.
2: Use "|inputlookup YourLookupFileNameHere.csv | where bar=*" to see if your file has the right field name.
3: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo" to see if your data is searchable from your user/app context.
4: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=*" to see if your data has the right field name.
5: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=* | lookup YourLookupFileNameHere.csv | where bar=*" to test that all this works together.
6: CLONE your existing automatic lookup definition and make sure that, if you are using a sourcetype-based stanza, that the sourcetype listed is *exactly* the "AndSourcetypToo" of your event data.  Upper/lower-case matters.  Why did I have you clone it?  Because that is the only practical way to see if you have accidental whitespace at the beginning or end of your sourcetype string, as can easily happen when doing cut/paste.  You can see it when you clone but not by looking at it on the screen any other practical way (Yes, you could use a "|rest" call but this is way quicker/easier).  I suspect that this is your problem.
0 Karma

rajneeshc1981
Explorer

| inputlookup mylookup.csv. (works)
index=xyz | inputlookup mylookup.csv. ( doesn't work. )

0 Karma

woodcock
Esteemed Legend

There are 2 lookup-ish commands: inputlookup and lookup. You are confusing the two. Read my post again.

DalJeanis
SplunkTrust
SplunkTrust

1) Try manually checking the data

| inputlookup mylookup.csv

that should tell you if it's there.

2) Try manually testing a lookup. Assuming the name of the lookup field is foo, and one record in the lookup the field foo has a value of "bar", and there is another column named baz.

| makeresults 
| eval foo = "bar"
| lookup mylookup.csv foo OUTPUT baz 

If both of those work, then you have probably set up the lookup itself incorrectly. If one of them fails, then either the definition is wrong, the lookup name is wrong, or the data is wrong.

0 Karma

gordo32
Communicator

There is actually one more possible issue - when using a remote Indexer. You need to enable replication of KVStore lookups by added to <app>/local/collections.conf:

 

[<automatic_lookup_name>_kvstore]
replicate = true

 

0 Karma

youngsuh
Contributor

@DalJeanis when you say "If both of those work, then you have probably set up the lookup itself incorrectly." did you mean you have set up the look correctly? Both of my query work.

| inputlookup q-compliance_system_asset_mapping  (working)


| eval foo = "bar" | lookup q-compliance_system_asset_mapping dns AS dest OUTPUT system AS system  (working)

But, it's not working on pivot. do you have any suggestion on how to troubleshoot?

0 Karma

rajneeshc1981
Explorer

how do I check auto lookup is working ?.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

does the sourcetype smptsm_accesslog have matching ip values?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I've left my crystal ball in storage, sorry - you will need to post more details about what you're doing. For example, post the props.conf and transforms.conf entries you've made. Post what apps you've placed them in, what permissions you've given them, what app you're searching from, what user/role combo you're searching from, etc.

0 Karma

rajneeshc1981
Explorer

props.
[smptsm_accesslog]
LOOKUP-pn_ip_env = pn_ip_env ip AS ip OUTPUTNEW inbound AS pn_inbound pn AS pn_name variety AS pn_variety

transforms-
[pn_ip_env]

filename = pn_ip_env.csv

csv file has four columns-
ip, inbound,pn,variety.

0 Karma

rajneeshc1981
Explorer

I read that ,I created four columns for my csv ..and did props and transforms.conf and I want the lookup to be automatically lookup for a field .

but when I do the query in the search I don't get any statistics. why is it ?.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...