Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

inputlookup returning 0 fields

j4adam
Communicator
‎07-27-2016 12:57 PM

Hello all,

I've done this a million times, but for some reason, it's not working for me today, and I suspect it's something really silly that just needs some fresh eyes on it.

I have a .csv file:

dest_port,application
1,TCP Port Service Multiplexer (TCPMUX)
5,Remote Job Entry (RJE)
7,ECHO
18,Message Send Protocol (MSP)
20,FTP -- Data
21,FTP -- Control
...etc...

I've created a lookup table file and lookup definition in the same app context. I run | inputlookup known_tcp_ports.csv and I get the table (with the order backwards, application first followed by dest_port).

I created an automatic lookup that has input: dest_port = dest_port (exists in my data and identical name as port header in csv) and the output is application=application. This doesn't work, so I dug into it and even the normal lookup doesn't work!

I'm staring at an event with dest_port=20 right now and when I run index=main sourcetype=web* dest_port=20 [ | inputlookup known_tcp_ports.csv ] I get bupkis.

Any ideas? I'm sure it's something really simple.

Edit: Running index=main dest_ip=* | lookup known_tcp_ports.csv dest_port OUTPUT application gets the application field. Not sure why I have to force it like that.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-27-2016 01:07 PM

Try this search. What do you get?

UPDATED based on comments

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-27-2016 01:10 PM

The subsearch method ( index=main sourcetype=web* dest_port=20 [ | inputlookup known_tcp_ports.csv ] ) is for filtering, not for data enrichment, so there won't be application column there. If the regular lookup work, check the syntax for the automatic lookup is correct and you're running the search is smart/verbose mode.

0 Karma
Reply
Solved! Jump to solution

j4adam
Communicator
‎07-27-2016 01:20 PM

And there it is. It's for filtering. Sigh. Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-27-2016 01:07 PM

Try this search. What do you get?

UPDATED based on comments

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application
Reply
Solved! Jump to solution

j4adam
Communicator
‎07-27-2016 01:09 PM

I get 285 events but no application field.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-27-2016 01:13 PM

If you want the applications field, you will have to use lookup command. Try this

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application
Reply
Solved! Jump to solution

j4adam
Communicator
‎07-27-2016 01:20 PM

Can you edit your main post to include this so I can accept it and hopefully save future people the headache I went through? 🙂

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...