Splunk Search

Why is my lookup search query not returning expected results?

mistergreen28
New Member

I've got a KeywordList.csv lookup table with 3 columns (URI, URI_Keyword, URI_KeywordType). URI is a pre-existing field in our log data, while URI_Keyword and URI_KeywordType are new fields that I'd like to enrich our events with. I've created a file based lookup (KeywordList) definition that is used in the same app context & permissions as the KeywordList.csv.

What I'm trying to do is search our URI field with the keywords from the URI field in the lookup table, and then output corresponding URI_Keyword and URI_KeywordType field data for those events.

My script below brings back a table that has blank URI_Keyword and URI_KeywordType fields.

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUTNEW URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI

When removing he "| fields URI" piece from the subsearch, I get no results.

What am I doing wrong?

0 Karma

woodcock
Esteemed Legend

You are misunderstanding what this portion does:

... [|inputlookup KeywordList.csv | fields URI] ...

Try typing this into your search bar:

| inputlookup KeywordList.csv | fields URI | format

Then try it without | fields URL like this:

| inputlookup KeywordList.csv | format

Now you should understand that the first part of your search should probably be this (which does the same thing that you have, but more clearly and efficiently):

index=tmg [|inputlookup KeywordList.csv | fields URI] | ...

And you should be able to take it from there (I am not sure what your end-game is).

0 Karma

peter_krammer
Communicator

try if one of these works for you:

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUT URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI

index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI

index=tmg | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI

Sorry I wrote a longer answer, but lost everything because of my browser, so this short answer is all you get from me at the moment.

0 Karma

mistergreen28
New Member

Thanks for the input. None of the modified scripts work. They all output blank URI_Keyword and URI_KeywordType fields.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...