Splunk Search

Why is Lookup before transforming command not producing any results?

macadminrohit
Contributor

I have a network attributes sheet which contains all the details of the network devices across the enterprise, and i am looking to calculate the utilisation on those devices. FOr ex : i have to calculate bandwidth utilisation which requires two fields SPEED and incoming bytes. I have speed defined in a lookup for a site and for the same site i am having the incoming bytes in my index. I am trying to do a lookup but for some reason it doesnt produces the results , i tried to reproduce using makeresults and they work, but not the below query. It doesnt even produces any results . What could be the issue.

index=network_wan_circuits InterfaceName=200 earliest=-1h 
| rex field=Location "(Location)?(?<Site>\d{4})" 
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed

Testing using makeresults***

| makeresults | eval Site=tonumber(0115) | lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed

The above gives me the results.

0 Karma
1 Solution

woodcock
Esteemed Legend

Does this give you a list of 4-digit Site values?

index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| stats values(Site) BY Location

If not, then either you do not have Location fields or you do not have the correct rex. In so, I would try this:

index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed

And if not that, then maybe this:

index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| eval Site=tonumber(Site)
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed

View solution in original post

0 Karma

woodcock
Esteemed Legend

Does this give you a list of 4-digit Site values?

index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(Location)?(?<Site>\d{4})"
| stats values(Site) BY Location

If not, then either you do not have Location fields or you do not have the correct rex. In so, I would try this:

index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed

And if not that, then maybe this:

index=network_wan_circuits InterfaceName=200 earliest=-1h
| rex field=Location "(?:Location)?(?<Site>\d+)"
| eval Site=tonumber(Site)
| lookup network_attributes.csv Site OUTPUT Tunnel100_Down_or_In_Speed
0 Karma

woodcock
Esteemed Legend

So what did you end up doing? Where was the problem?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...