Splunk Search

inputlookup error "line endings"

mikefoti
Communicator

I’m trying to troubleshoot my use of “inputlookup”.

First I verify the following search works:

index=ca cert_RN=”Retail\S0002K02$”

It returns 2 records as expected.

I then create the inputlookup file

“C:\Program Files\Splunk\etc\apps\search\lookups\AccountNames.csv”

with only 2 lines (w/o the space between them):

cert_RN

Retail\S0002K02$

I then try this search:

index=ca [inputlookup AccountNames.csv | fields + cert_RN]

I get the following error:

[subsearch]: Lookup file 'C:\Program Files\Splunk\etc\apps\search\lookups\AccountNames.csv' may use mac-style line endings, which are unsupported.

Tags (2)
0 Karma
1 Solution

MHibbin
Influencer

I'm guessing you are editing this csv file on an MS OS, which editor are you using?.. Have you tried using wordpad/notepad to create your csv file? (Make sure that you save the file with the encoding utf-8 (I'm sure it doesn't matter with lookups, but Splunk prefers utf-8))..

However, I think your main issue is that your csv file only has one column (in the documentation, it mentions this and the utf-8 formatting). When I produce a csv which only has one column, I will typically produce a referencing column (which I normally call "match"), of which all the values in subsequent rows are "1"... e.g.. for your example...

match,cert_RN
1,Retail\S0002K02$
1,Retail\S1234A12$

n.b. the last line is added for effect

Then when you try the following search (with nothing before the "pipe")...

| inputlookup AccountNames.csv

Do you see the contents of the file?

After you have verified you results you could do a lookup on the match column outputting the field desired (note: you will need to include an "|eval match=1|" before doing the input lookup.

Hope this helps,

Regards,

MHibbin

View solution in original post

rrovers
Contributor

open the document in textwrangler
choose
- 'save'
- linebreaks 'windows (crlf)
- encoding unicode (utf8)

0 Karma

MHibbin
Influencer

I'm guessing you are editing this csv file on an MS OS, which editor are you using?.. Have you tried using wordpad/notepad to create your csv file? (Make sure that you save the file with the encoding utf-8 (I'm sure it doesn't matter with lookups, but Splunk prefers utf-8))..

However, I think your main issue is that your csv file only has one column (in the documentation, it mentions this and the utf-8 formatting). When I produce a csv which only has one column, I will typically produce a referencing column (which I normally call "match"), of which all the values in subsequent rows are "1"... e.g.. for your example...

match,cert_RN
1,Retail\S0002K02$
1,Retail\S1234A12$

n.b. the last line is added for effect

Then when you try the following search (with nothing before the "pipe")...

| inputlookup AccountNames.csv

Do you see the contents of the file?

After you have verified you results you could do a lookup on the match column outputting the field desired (note: you will need to include an "|eval match=1|" before doing the input lookup.

Hope this helps,

Regards,

MHibbin

MHibbin
Influencer

Mikefoti,

That's good news. Good luck.

Regards,

MHibbin

0 Karma

saurabh_tek
Communicator

@MHibbin Thanks

0 Karma

mikefoti
Communicator

MHibbin, My mistake. Your suggestions worked perfectly. My input file was at fault. Once I replaced my doulde-backslash with a single baclslash, everything fell into place

0 Karma

mikefoti
Communicator

Thank you MHibbin.
After adding the match column and saving as UTF-8, I do indeed get results from this search
|inputlookup AcctNames.csv

But this search yeilds no results:
index=ca [inputlookup AcctNames.csv |eval match=1|fields cert_RN]

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...