Splunk Search

inputlookup returning 0 fields

j4adam
Communicator

Hello all,

I've done this a million times, but for some reason, it's not working for me today, and I suspect it's something really silly that just needs some fresh eyes on it.

I have a .csv file:

dest_port,application
1,TCP Port Service Multiplexer (TCPMUX)
5,Remote Job Entry (RJE)
7,ECHO
18,Message Send Protocol (MSP)
20,FTP -- Data
21,FTP -- Control
...etc...

I've created a lookup table file and lookup definition in the same app context. I run | inputlookup known_tcp_ports.csv and I get the table (with the order backwards, application first followed by dest_port).

I created an automatic lookup that has input: dest_port = dest_port (exists in my data and identical name as port header in csv) and the output is application=application. This doesn't work, so I dug into it and even the normal lookup doesn't work!

I'm staring at an event with dest_port=20 right now and when I run index=main sourcetype=web* dest_port=20 [ | inputlookup known_tcp_ports.csv ] I get bupkis.

Any ideas? I'm sure it's something really simple.

Edit: Running index=main dest_ip=* | lookup known_tcp_ports.csv dest_port OUTPUT application gets the application field. Not sure why I have to force it like that.

0 Karma
1 Solution

sundareshr
Legend

Try this search. What do you get?

UPDATED based on comments

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application

View solution in original post

somesoni2
Revered Legend

The subsearch method ( index=main sourcetype=web* dest_port=20 [ | inputlookup known_tcp_ports.csv ] ) is for filtering, not for data enrichment, so there won't be application column there. If the regular lookup work, check the syntax for the automatic lookup is correct and you're running the search is smart/verbose mode.

0 Karma

j4adam
Communicator

And there it is. It's for filtering. Sigh. Thanks!

0 Karma

sundareshr
Legend

Try this search. What do you get?

UPDATED based on comments

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application

j4adam
Communicator

I get 285 events but no application field.

0 Karma

sundareshr
Legend

If you want the applications field, you will have to use lookup command. Try this

index=main sourcetype=web* dest_port=20 | lookup known_tcp_ports.csv dest_port AS dest_port OUTPUT application AS application 

j4adam
Communicator

Can you edit your main post to include this so I can accept it and hopefully save future people the headache I went through? 🙂

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...