Splunk Search

Lookup is not working!

changwoo
Communicator

i tried this tutorial

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchTutorial/Usefieldlookups

  1. Upload a look-up file

  2. define the field look-up

this two works great

but! when i tried automatic lookup i doesn't work

i tried to search for sourcetype=access_*
alt text
shows that there is no matching result

and the permission is "all app"

movielookup.csv struture is like

movieId, movieName, movieGenre
1, Toy Story (1995), Animation

and where is transforms.conf ?

Tags (1)
0 Karma
1 Solution

mattness
Splunk Employee
Splunk Employee

Well, I'd start troubleshooting this by answering these questions:

  1. Is the movieId field in your data currently? Is it extracted as movieId and not something else (for example: MovieID or movieID or movie_id)? Lookups are case-sensitive, so this is important. If the fieldname is constructed differently, go back to the automatic lookup definition and change the lookup input field so it says (for example) MovieID = movieId.
  2. If the movieId field is in your data and it is constructed correctly in your automatic lookup definition, have you verified that the events that contain it have the source type access_combined_wcookie? If not, what sourcetype value do these events have? If it isn't access_combined_wcookie go back to the automatic lookup definition and put in the correct source type. (Note that you can also group by host or source.)

If the answer to both of these questions is "yes" then we'll have to go to inquiry stage two. But let's get the easy stuff sorted out first.

As for the transforms.conf file, you can find it in $SPLUNK_HOME/etc/system/local/. You can find more information about editing lookup configurations in .conf files here. But I would advise that we ensure that we can't fix the problem through the Settings pages before moving on to the .conf file configurations.

View solution in original post

mattness
Splunk Employee
Splunk Employee

Well, I'd start troubleshooting this by answering these questions:

  1. Is the movieId field in your data currently? Is it extracted as movieId and not something else (for example: MovieID or movieID or movie_id)? Lookups are case-sensitive, so this is important. If the fieldname is constructed differently, go back to the automatic lookup definition and change the lookup input field so it says (for example) MovieID = movieId.
  2. If the movieId field is in your data and it is constructed correctly in your automatic lookup definition, have you verified that the events that contain it have the source type access_combined_wcookie? If not, what sourcetype value do these events have? If it isn't access_combined_wcookie go back to the automatic lookup definition and put in the correct source type. (Note that you can also group by host or source.)

If the answer to both of these questions is "yes" then we'll have to go to inquiry stage two. But let's get the easy stuff sorted out first.

As for the transforms.conf file, you can find it in $SPLUNK_HOME/etc/system/local/. You can find more information about editing lookup configurations in .conf files here. But I would advise that we ensure that we can't fix the problem through the Settings pages before moving on to the .conf file configurations.

changwoo
Communicator

this help me a lot!

what i was trying to do works great!

It was a hard work because all field was scrambled :<

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...