Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

lookup command not working while inputlookup working

Mrig342
Contributor
‎01-04-2022 03:29 AM

Hi All,

I have a .csv file  named Master_List.csv added to splunk lookup. It has the values of the fields "Tech Stack", "Environment", "Region" and "host" and has about 350 values per field. After adding the lookup table, inputlookup command is working fine and is giving the output table.

But when I am using lookup command in the below query, I am not getting the fields in the output on the left-hand side even though all the required permissions have been provided:

index=tibco_main sourcetype="NON-DIGITAL_TIBCO_INFRA_FS"  | regex _raw!="^\d+(\.\d+){0,2}\w"
| regex _raw!="/apps/tibco/datastore"
| rex field=_raw "(?ms)\s(?<Disk_Usage>\d+)%"
| rex field=_raw "(?ms)\%\s(?<File_System>\/\w+)"
| rex field=_raw "(?P<Time>\w+\s\w+\s\s\d+\s\d+\:\d+\:\d+\s\w+\s\d+)\s\d"
| rex field=_raw "(?ms)\d\s(?<Total>\d+(\.\d+){0,2})\w\s\d" | rex field=_raw "(?ms)G\s(?<Used>\d+(\.\d+){0,2})\w\s\d"
| lookup Master_List.csv "Environment"

Can someone please guide me on how to get the lookup command working or help modify the command.

 

Thank you..

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

Mrig342
Contributor
‎01-04-2022 04:21 AM

Hi ITWhisperer,

I tried with "host" too instead of "Environment". It didn't work either. Can you suggest why..?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Mrig342
Contributor
‎01-04-2022 04:21 AM

Hi ITWhisperer,

I tried with "host" too instead of "Environment". It didn't work either. Can you suggest why..?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-04-2022 04:23 AM

What values for host do you have in your events and what values do you have in you csv file? Perhaps there is a mismatch?

Reply
Solved! Jump to solution

Mrig342
Contributor
‎01-04-2022 08:09 PM

Hi ITWhisperer,

There is no mismatch between the hosts available in the events and the csv file. However, now I am able to see the fields coming up and the lookup command is working fine. Don't know how it worked now, but seems my requirement is fulfilled.

Thank you.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-04-2022 03:58 AM

You don't appear to have an Environment field extracted, should you be looking up by host instead?

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...