Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the inputlookup not returning any records?

putrtek
New Member
‎02-11-2018 08:52 AM

I'm running Splunk Enterprise v7.01 running on Server 2012 R2
Lookups are not working in the Search App or in the Home Monitor App

Following the online Tutorial, I downloaded the sample data from Splunk.
I created a lookup table called prices using the prices.csv included in the download

Sample CSV data looks like this:

productId,product_name,price,sale_price,Code
DB-SG-G01,Mediocre Kingdoms,24.99,19.99,A
DC-SG-G02,Dream Crusher,39.99,24.99,B
FS-SG-G03,Final Sequel,24.99,16.99,C
WC-SH-G04,World of Cheese,24.99,19.99,D

I set the permissions on the prices.csv file to Everyone Read/Write All Apps
I configured a Lookup Definition prices_lookup pointing to the prices.csv file

props.conf 

[prices_lookup]
batch_index_query = 0
case_sensitive_match = 1
filename = prices.csv

To test my lookup I run the following Query:

'inputlookup prices' also tried 'inputlookup prices_lookup' and 'inputlookup prices.csv'

All of these queries return no records

What am I doing wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-11-2018 09:56 AM

When you ran inputlookup prices did your search look exactly like that?

inputlookup is a generating command, and thus must have a leading |:

| inputlookup prices_lookup

As to which names you can use for the lookup, your transform is named prices_lookup, and your csv is named prices.csv, so either of these would work:

| inputlookup prices_lookup
| inputlookup prices.csv

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-11-2018 09:56 AM

When you ran inputlookup prices did your search look exactly like that?

inputlookup is a generating command, and thus must have a leading |:

| inputlookup prices_lookup

As to which names you can use for the lookup, your transform is named prices_lookup, and your csv is named prices.csv, so either of these would work:

| inputlookup prices_lookup
| inputlookup prices.csv

Reply
Solved! Jump to solution

putrtek
New Member
‎02-11-2018 12:43 PM

Thank You for the full explanation. Adding the leading pipe did work. I'm getting data back. Thanks

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-11-2018 09:54 AM

I'm guessing you forgot the leading pipe to run a non-search command: | inputlookup prices_lookup

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...