Splunk Search

Why is my automatic lookup not populating a field?



Usually lookups aren't an issue, but today seems it is. I'm hoping this is just a pebcak 😉 This is the first time I'm attempting to run a lookup on eval fields rather than search-time extractions.

Anyway, to the issue.
I have a search index=ibm_xiv sourcetype="xiv:volpool" and this is OK. I then use eval to split a field value into a couple of new fields using | eval temp=split(vol_name,"_"), environment=mvindex(temp,0), channel=mvindex(temp,1). All is well. The 2 new fields are populated with the correct values which are abbreviations. Now I have created 2 CSV files to translate these abbreviations, created the lookup tables and definitions.
Both files are in the same format: Both the channel and environment column contain the abbreviations.
channel.csv = "channel","friendlyName"
environment.csv = "environment","friendlyName"

No matter how I configure an automatic lookup, it makes no difference what so ever.

Executing this works:

index=ibm_xiv sourcetype="xiv:volpool" | eval temp=split(vol_name,"_"), environment=mvindex(temp,0), channel=mvindex(temp,1) | lookup XIVChannels channel as channel OUTPUT friendlyName as channel

Having XIVChannels channel AS channel OUTPUT friendlyName AS channel as an automatic lookup does not 😞

Am I doing something wrong, or do I assume that at search-time the lookup is done after the evals (which is why it works on a manual search), but an automatic lookup is done before the evals?


0 Karma

Re: Why is my automatic lookup not populating a field?

Esteemed Legend

Anything you do with eval at search-time cannot be made automatic, which makes sense, if you really think about how and when things happen. What you can do convert your eval stuff to be automatic and then you can make it all work:


TRANSFORMS-indextime_extractions = split_volume


REGEX = ^(?<environment>[^_]+)_(?<channel>.*)$
SOURCE_KEY = vol_name
0 Karma

Re: Why is my automatic lookup not populating a field?


Many thanks woodcock, unfortunately I cannot get this to work. I've tried this on the HF which collects the data and also on the searchhead/indexer.

I've worked around it by setting up additional field extractions rather than trying to split a field 🙂

View solution in original post

0 Karma