Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to use universal source type for lookup a multiple indexs

linu1988
Champion
‎02-04-2013 09:11 PM

I want to use two lookups where the logged in user roles are input to the 1st lookup and the 2nd lookup is fed by the result of 1st look up. But while implementing at the server i am getting "could not find fields for lookup table , conf missing the relevant fields error. Can any body help in this?

First Csv contains Second Csv Contains

Roles,Server Server,tier
admin,A A,C
User,B B,D

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎02-05-2013 02:42 AM

You're using the lookup command wrong. You're specifying "Role as roles", but it should be the other way around - "roles as Role" (and same thing for the other lookup).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎02-05-2013 02:42 AM

You're using the lookup command wrong. You're specifying "Role as roles", but it should be the other way around - "roles as Role" (and same thing for the other lookup).

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎02-05-2013 03:15 AM

Thanks for the explanation Ayn, With some modifications it started working. 🙂

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎02-05-2013 01:51 AM

Ayn, the lookups used contain the fields which are being called from search query. its defined like "| rest /services/authentication/users | lookup samplelookup Role as roles | fields Server| mvexpand Server | Lookup mytiers Servers as Server". Any suggessions on the implementation?

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎02-05-2013 01:07 AM

i have modified the transforms.conf and props.conf to define the lookup table and definition

SO definition goes like this

[tiers]
Lookup-sample=mylookup Roles OUTPUT Server
Lookup-tier=mytiers Server OUTPUT tier

I am getting the result but when it is applied on different indexed data, i getting Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'tiers' and lookup table 'samplelookup'.

I am using the Rest api to get the user roles then i am looking up for the relevant fields to populate the dropdown from the results

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-05-2013 12:51 AM

When you call it on different indexed data, exactly how are you calling it? Because the error message really says it - you're telling it to use lookup fields that don't exist in the lookups you're calling.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎02-05-2013 12:24 AM

More details please. What do your config files look like? How are you calling your lookups?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...