Splunk Search

Why is the inputlookup not returning any records?

New Member

I'm running Splunk Enterprise v7.01 running on Server 2012 R2
Lookups are not working in the Search App or in the Home Monitor App

Following the online Tutorial, I downloaded the sample data from Splunk.
I created a lookup table called prices using the prices.csv included in the download

Sample CSV data looks like this:

productId,product_name,price,sale_price,Code
DB-SG-G01,Mediocre Kingdoms,24.99,19.99,A
DC-SG-G02,Dream Crusher,39.99,24.99,B
FS-SG-G03,Final Sequel,24.99,16.99,C
WC-SH-G04,World of Cheese,24.99,19.99,D

I set the permissions on the prices.csv file to Everyone Read/Write All Apps
I configured a Lookup Definition prices_lookup pointing to the prices.csv file

props.conf

[prices_lookup]
batch_index_query = 0
case_sensitive_match = 1
filename = prices.csv

To test my lookup I run the following Query:

'inputlookup prices' also tried 'inputlookup prices_lookup' and 'inputlookup prices.csv'

All of these queries return no records

What am I doing wrong?

0 Karma
1 Solution

Champion

When you ran inputlookup prices did your search look exactly like that?

inputlookup is a generating command, and thus must have a leading |:

| inputlookup prices_lookup

As to which names you can use for the lookup, your transform is named prices_lookup, and your csv is named prices.csv, so either of these would work:

| inputlookup prices_lookup
| inputlookup prices.csv

View solution in original post

0 Karma

Champion

When you ran inputlookup prices did your search look exactly like that?

inputlookup is a generating command, and thus must have a leading |:

| inputlookup prices_lookup

As to which names you can use for the lookup, your transform is named prices_lookup, and your csv is named prices.csv, so either of these would work:

| inputlookup prices_lookup
| inputlookup prices.csv

View solution in original post

0 Karma

New Member

Thank You for the full explanation. Adding the leading pipe did work. I'm getting data back. Thanks

0 Karma

SplunkTrust
SplunkTrust

I'm guessing you forgot the leading pipe to run a non-search command: | inputlookup prices_lookup

0 Karma