I already worked with the lookup feature of splunk, tables, definitions and automatic lookup, and is working correctly even though I create a script to use the inputlook command to automatically update the lookup table when it is needed.
The csv file of the lookup table have the following structure:
The idea with this lookup is to match the appid with one of the attributes that splunk have from a seach and then add the value of appName in the result of that search, for example:
appid will match the values of systemd_unit
with that match in that search will add the attribute appname with the value of appName of the lookup table
That behavior is working with the values above, but when I try to create another lookup table and his definition with different values but matching the same attributes in splunk is not creating the new attribute in the search. I test that with this search:
Here the systemd_unit that try to match is everything that have 'container' in his name and then create a new attribute called appName with the value corresponding to the value of appName in the lookup table
That doesn't work because the search for container and the corresponding lookup value in the lookup table is new.
But the old values of the lookup table, I mean old values with values from other lookup tables that I use in the new lookup table it works correctly, creating the new attribute in the seach.
My problem is do I need something else to do more than creating the lookup table, definition to make this works for new values?
Hi, @venkatasri Yes the command and the output of the | inputlookup is the next:
This is the lookup table and the search to generate it
Yes, I'm running the lookup in the same scope and in the same app This is the lookup definition
And this is the lookup table
And this is the new search that I'm using
As you can see I try t match the values of appid in the lookup table to systemd_unit in the search, and the values are matching for containerd.service but the new value that should show in appName doesn't show
But if I change the search a little to include another value, not just containerd it works correctly, but only shows the other value.
I think this other value is correctly retrieved because is a value that exists for the other lookups that works correctly