Splunk Search

Why isn't my dynamic lookup returning a value?

erickyi
Path Finder

I have been staring at this problem for eons but I'm stuck.
I have two dynamic lookups.

  1. volumeCheck (external lookup), fields defined=ip, volumes, vrank Result; volumeCheck always return vrank=UNK . I expect vrank to be GREEN or AMBER
  2. top10InboundPortProtocol (external lookup), fields defined=port,protocol,rank Result: returns GREEN, AMBER or RED (works)

I checked the logs and I can see that volumeCheck is returning on the stdout RED or GREEN but on splunk search, it is showing vrank=UNK. I can't see any exception or error in splunkd.log
FYI, i set in the dynamic lookup, minimum matches=1, Default matches to UNK

I have done many dynamic lookups but this one stumped me.

FYI my splunk search:

index="flowintegrator" src_port=21 |eval thisUser=src_ip + "_"+ dest_ip | bucket _time span=1d | eval diff= floor((now() - _time)/86400) |eval diff="row"+diff | chart avg(bytes) over thisUser by diff|eval row1=if(isnull(row1), 0, floor(row1))| eval row2=if(isnull(row2), 0, floor(row2))|eval row3=if(isnull(row3), 0, floor(row3))|eval row4=if(isnull(row4), 0, floor(row4))|eval row5=if(isnull(row5), 0, floor(row5))|eval row6=if(isnull(row6), 0, floor(row6))|eval volumes=row1+";"+row2+";"+row3+";"+row4+";"+row5+";"+row6|**lookup volumeCheck ip as thisUser, volumes OUTPUT vrank**

Help.

0 Karma
1 Solution

erickyi
Path Finder

i found the problem. My mistake.

Details
splunk matches the fields from the dynamic lookup.

if the fields to the dynamic lookup is 127.0.0.1_127.0.0.2, \"1;2;3;4;5;6\"
the dynamic lookup must return these two fields.
127.0.0.1_127.0.0.2, \"1;2;3;4;5;6\", RED

Previously, I was returning 127.0.0.1_127.0.0.2, 3, RED // i.e. column 2 does not match the input fields.

hope this helps anyone who is doing dynamic lookup

View solution in original post

0 Karma

erickyi
Path Finder

i found the problem. My mistake.

Details
splunk matches the fields from the dynamic lookup.

if the fields to the dynamic lookup is 127.0.0.1_127.0.0.2, \"1;2;3;4;5;6\"
the dynamic lookup must return these two fields.
127.0.0.1_127.0.0.2, \"1;2;3;4;5;6\", RED

Previously, I was returning 127.0.0.1_127.0.0.2, 3, RED // i.e. column 2 does not match the input fields.

hope this helps anyone who is doing dynamic lookup

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@erickyi - Thanks for posting your solution for others to benefit from. Please accept your answer so that the problem will show as closed.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...