Splunk Search

Why is my lookup search query not returning expected results?

mistergreen28
New Member

I've got a KeywordList.csv lookup table with 3 columns (URI, URI_Keyword, URI_KeywordType). URI is a pre-existing field in our log data, while URI_Keyword and URI_KeywordType are new fields that I'd like to enrich our events with. I've created a file based lookup (KeywordList) definition that is used in the same app context & permissions as the KeywordList.csv.

What I'm trying to do is search our URI field with the keywords from the URI field in the lookup table, and then output corresponding URI_Keyword and URI_KeywordType field data for those events.

My script below brings back a table that has blank URI_Keyword and URI_KeywordType fields.

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUTNEW URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI

When removing he "| fields URI" piece from the subsearch, I get no results.

What am I doing wrong?

0 Karma

woodcock
Esteemed Legend

You are misunderstanding what this portion does:

... [|inputlookup KeywordList.csv | fields URI] ...

Try typing this into your search bar:

| inputlookup KeywordList.csv | fields URI | format

Then try it without | fields URL like this:

| inputlookup KeywordList.csv | format

Now you should understand that the first part of your search should probably be this (which does the same thing that you have, but more clearly and efficiently):

index=tmg [|inputlookup KeywordList.csv | fields URI] | ...

And you should be able to take it from there (I am not sure what your end-game is).

0 Karma

peter_krammer
Communicator

try if one of these works for you:

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUT URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI

index=tmg | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI

Sorry I wrote a longer answer, but lost everything because of my browser, so this short answer is all you get from me at the moment.

0 Karma

mistergreen28
New Member

Thanks for the input. None of the modified scripts work. They all output blank URI_Keyword and URI_KeywordType fields.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...