Splunk Search

Why is the inputlookup not returning any records?

putrtek
New Member

I'm running Splunk Enterprise v7.01 running on Server 2012 R2
Lookups are not working in the Search App or in the Home Monitor App

Following the online Tutorial, I downloaded the sample data from Splunk.
I created a lookup table called prices using the prices.csv included in the download

Sample CSV data looks like this:

productId,product_name,price,sale_price,Code
DB-SG-G01,Mediocre Kingdoms,24.99,19.99,A
DC-SG-G02,Dream Crusher,39.99,24.99,B
FS-SG-G03,Final Sequel,24.99,16.99,C
WC-SH-G04,World of Cheese,24.99,19.99,D

I set the permissions on the prices.csv file to Everyone Read/Write All Apps
I configured a Lookup Definition prices_lookup pointing to the prices.csv file

props.conf

[prices_lookup]
batch_index_query = 0
case_sensitive_match = 1
filename = prices.csv

To test my lookup I run the following Query:

'inputlookup prices' also tried 'inputlookup prices_lookup' and 'inputlookup prices.csv'

All of these queries return no records

What am I doing wrong?

0 Karma
1 Solution

micahkemp
Champion

When you ran inputlookup prices did your search look exactly like that?

inputlookup is a generating command, and thus must have a leading |:

| inputlookup prices_lookup

As to which names you can use for the lookup, your transform is named prices_lookup, and your csv is named prices.csv, so either of these would work:

| inputlookup prices_lookup
| inputlookup prices.csv

View solution in original post

micahkemp
Champion

When you ran inputlookup prices did your search look exactly like that?

inputlookup is a generating command, and thus must have a leading |:

| inputlookup prices_lookup

As to which names you can use for the lookup, your transform is named prices_lookup, and your csv is named prices.csv, so either of these would work:

| inputlookup prices_lookup
| inputlookup prices.csv

putrtek
New Member

Thank You for the full explanation. Adding the leading pipe did work. I'm getting data back. Thanks

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm guessing you forgot the leading pipe to run a non-search command: | inputlookup prices_lookup

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...