- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is my lookup search query not returning expect...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is my lookup search query not returning expected results?
I've got a KeywordList.csv lookup table with 3 columns (URI, URI_Keyword, URI_KeywordType). URI is a pre-existing field in our log data, while URI_Keyword and URI_KeywordType are new fields that I'd like to enrich our events with. I've created a file based lookup (KeywordList) definition that is used in the same app context & permissions as the KeywordList.csv.
What I'm trying to do is search our URI field with the keywords from the URI field in the lookup table, and then output corresponding URI_Keyword and URI_KeywordType field data for those events.
My script below brings back a table that has blank URI_Keyword and URI_KeywordType fields.
index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUTNEW URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI
When removing he "| fields URI" piece from the subsearch, I get no results.
What am I doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are misunderstanding what this portion does:
... [|inputlookup KeywordList.csv | fields URI] ...
Try typing this into your search bar:
| inputlookup KeywordList.csv | fields URI | format
Then try it without | fields URL like this:
| inputlookup KeywordList.csv | format
Now you should understand that the first part of your search should probably be this (which does the same thing that you have, but more clearly and efficiently):
index=tmg [|inputlookup KeywordList.csv | fields URI] | ...
And you should be able to take it from there (I am not sure what your end-game is).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try if one of these works for you:
index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUT URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI
index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI
index=tmg | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI
Sorry I wrote a longer answer, but lost everything because of my browser, so this short answer is all you get from me at the moment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the input. None of the modified scripts work. They all output blank URI_Keyword and URI_KeywordType fields.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
