I read that ,I created four columns for my csv ..and did props and transforms.conf and I want the lookup to be automatically lookup for a field .
but when I do the query in the search I don't get any statistics. why is it ?.
I've left my crystal ball in storage, sorry - you will need to post more details about what you're doing. For example, post the props.conf and transforms.conf entries you've made. Post what apps you've placed them in, what permissions you've given them, what app you're searching from, what user/role combo you're searching from, etc.
LOOKUP-pnipenv = pnipenv ip AS ip OUTPUTNEW inbound AS pninbound pn AS pnname variety AS pnvariety
csv file has four columns-
1) Try manually checking the data
| inputlookup mylookup.csv
that should tell you if it's there.
2) Try manually testing a lookup. Assuming the name of the lookup field is
foo, and one record in the lookup the field
foo has a value of "bar", and there is another column named
| makeresults | eval foo = "bar" | lookup mylookup.csv foo OUTPUT baz
If both of those work, then you have probably set up the lookup itself incorrectly. If one of them fails, then either the definition is wrong, the lookup name is wrong, or the data is wrong.
@DalJeanis when you say "If both of those work, then you have probably set up the lookup itself incorrectly." did you mean you have set up the look correctly? Both of my query work.
| inputlookup q-compliance_system_asset_mapping (working) | eval foo = "bar" | lookup q-compliance_system_asset_mapping dns AS dest OUTPUT system AS system (working)
But, it's not working on pivot. do you have any suggestion on how to troubleshoot?
Assuming that your event data's field name is
foo and the matching lookup field name is
1: Use "|inputlookup YourLookupFileNameHere.csv" to see if your file is searchable from your user/app context. 2: Use "|inputlookup YourLookupFileNameHere.csv | where bar=*" to see if your file has the right field name. 3: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo" to see if your data is searchable from your user/app context. 4: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=*" to see if your data has the right field name. 5: Use "index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | where foo=* | lookup YourLookupFileNameHere.csv | where bar=*" to test that all this works together. 6: CLONE your existing automatic lookup definition and make sure that, if you are using a sourcetype-based stanza, that the sourcetype listed is *exactly* the "AndSourcetypToo" of your event data. Upper/lower-case matters. Why did I have you clone it? Because that is the only practical way to see if you have accidental whitespace at the beginning or end of your sourcetype string, as can easily happen when doing cut/paste. You can see it when you clone but not by looking at it on the screen any other practical way (Yes, you could use a "|rest" call but this is way quicker/easier). I suspect that this is your problem.