Splunk Search

Can do search time lookup but automatic lookup not working

jalfrey
Communicator

Sorry I use underscores "_" in my variable names and this forum causes those to be italics instead! So I changed all of them to be hyphens "-"

I can do an inline lookup like this:

lookup sonicwall-app-id app-id as app OUTPUT app-name

but when I set it up as an automatic lookup like this:


lookup table: sonicwall-app-id

lookup input fields: app-id, app

lookup output fields: app-name, app-name

Tags (1)
0 Karma

mlconnor
Explorer

i had a similar issue. make sure that the sourcetype on the data returned matches the sourcetype in your automatic lookup definition

0 Karma

jalfrey
Communicator

I was able to get this working. The search time lookup is configured a bit differently then the automatic lookup.

  • After adding the lookup table you need to change the permissions so it's at least shared with the app.
  • In my app I have a custom sourcetype for my data so I had to select that or it would not work.
  • The last snag I hit was the variable names. The first value is the variable name from the .csv file. The second is the variable from splunk data. If you get the backwards it won't work. Actually you'll get an error that it couldn't find the field. I recommend leaving the rest blank and it will auto export the rest of the variables from the .csv file.
0 Karma

jeremiahc4
Builder

I'm having the same problem, I'm curious if you ever got this resolved and could post the fix.

0 Karma

jalfrey
Communicator

what am I doing wrong in the automatic lookup thats preventing the automatic lookup from running?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is your question?

BTW, you can use underscores by escaping them with '\' or by entering the variables as code.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...