Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

inputlookup returning 0 fields

j4adam
Communicator
‎07-27-2016 12:57 PM

Hello all,

I've done this a million times, but for some reason, it's not working for me today, and I suspect it's something really silly that just needs some fresh eyes on it.

I have a .csv file:

dest_port,application
1,TCP Port Service Multiplexer (TCPMUX)
5,Remote Job Entry (RJE)
7,ECHO
18,Message Send Protocol (MSP)
20,FTP -- Data
21,FTP -- Control
...etc...

I've created a lookup table file and lookup definition in the same app context. I run | inputlookup known_tcp_ports.csv and I get the table (with the order backwards, application first followed by dest_port).

I created an automatic lookup that has input: dest_port = dest_port (exists in my data and identical name as port header in csv) and the output is application=application. This doesn't work, so I dug into it and even the normal lookup doesn't work!

I'm staring at an event with dest_port=20 right now and when I run index=main sourcetype=web* dest_port=20 [ | inputlookup known_tcp_ports.csv ] I get bupkis.

Any ideas? I'm sure it's something really simple.

Edit: Running index=main dest_ip=* | lookup known_tcp_ports.csv dest_port OUTPUT application gets the application field. Not sure why I have to force it like that.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-27-2016 01:07 PM

Try this search. What do you get?

UPDATED based on comments

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-27-2016 01:10 PM

The subsearch method ( index=main sourcetype=web* dest_port=20 [ | inputlookup known_tcp_ports.csv ] ) is for filtering, not for data enrichment, so there won't be application column there. If the regular lookup work, check the syntax for the automatic lookup is correct and you're running the search is smart/verbose mode.

0 Karma
Reply
Solved! Jump to solution

j4adam
Communicator
‎07-27-2016 01:20 PM

And there it is. It's for filtering. Sigh. Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-27-2016 01:07 PM

Try this search. What do you get?

UPDATED based on comments

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application
Reply
Solved! Jump to solution

j4adam
Communicator
‎07-27-2016 01:09 PM

I get 285 events but no application field.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎07-27-2016 01:13 PM

If you want the applications field, you will have to use lookup command. Try this

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application
Reply
Solved! Jump to solution

j4adam
Communicator
‎07-27-2016 01:20 PM

Can you edit your main post to include this so I can accept it and hopefully save future people the headache I went through? 🙂

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...