- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why is my automatic lookup not populating a fi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Usually lookups aren't an issue, but today seems it is. I'm hoping this is just a pebcak 😉 This is the first time I'm attempting to run a lookup on eval fields rather than search-time extractions.
Anyway, to the issue.
I have a search index=ibm_xiv sourcetype="xiv:volpool" and this is OK. I then use eval to split a field value into a couple of new fields using | eval temp=split(vol_name,"_"), environment=mvindex(temp,0), channel=mvindex(temp,1). All is well. The 2 new fields are populated with the correct values which are abbreviations. Now I have created 2 CSV files to translate these abbreviations, created the lookup tables and definitions.
Both files are in the same format: Both the channel and environment column contain the abbreviations.
channel.csv = "channel","friendlyName"
environment.csv = "environment","friendlyName"
No matter how I configure an automatic lookup, it makes no difference what so ever.
Executing this works:
index=ibm_xiv sourcetype="xiv:volpool" | eval temp=split(vol_name,"_"), environment=mvindex(temp,0), channel=mvindex(temp,1) | lookup XIVChannels channel as channel OUTPUT friendlyName as channel
Having XIVChannels channel AS channel OUTPUT friendlyName AS channel as an automatic lookup does not 😞
Am I doing something wrong, or do I assume that at search-time the lookup is done after the evals (which is why it works on a manual search), but an automatic lookup is done before the evals?
TIA
Steve
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks woodcock, unfortunately I cannot get this to work. I've tried this on the HF which collects the data and also on the searchhead/indexer.
I've worked around it by setting up additional field extractions rather than trying to split a field 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks woodcock, unfortunately I cannot get this to work. I've tried this on the HF which collects the data and also on the searchhead/indexer.
I've worked around it by setting up additional field extractions rather than trying to split a field 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anything you do with eval at search-time cannot be made automatic, which makes sense, if you really think about how and when things happen. What you can do convert your eval stuff to be automatic and then you can make it all work:
props.conf:
[xiv:volpool]
TRANSFORMS-indextime_extractions = split_volume
transforms.conf:
[split_volume]
REGEX = ^(?<environment>[^_]+)_(?<channel>.*)$
SOURCE_KEY = vol_name
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
