Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can't get lookups to work

timmy13
Communicator
‎06-08-2011 12:24 PM

I am just using some test data that I generated to try to get lookups to work.

First, my log (completely manually generated and meaningless) file looks like this....

TimeDate:201108034352 USERID:100002 PRODUCTION:71

TimeDate:201105014327 USERID:100001 PRODUCTION:37

TimeDate:201112014446 USERID:100002 PRODUCTION:92

TimeDate:201107060448 USERID:100003 PRODUCTION:14

There are about 10000 lines.
I've extracted the USERID: value to a field called UserID

My lookup table, super simple, looks like this....

UserID,Username

100000,Elvis Presley

100001,Jim Morrison

100002,Jimi Hendrix

100003,Janis Joplin

This is uploaded, and location defined in the Manager/Lookups/Lookup Table Files, and Called UserFile

The Lookup is define in Manager/Lookups/Lookup Definitions, Named UserLookup, Type is filebased, and Lookup File is UserTable.

Finally, under Manager/Lookups/Automatic Lookups, I created an automatic lookup named Username Lookup. The Lookup Table is UserLookup. The input field is UserID=UserID, and the output field is Username=Username.

Obviously, the object here is to autolookup the Name field based on the UserID Field. But, it doesn't work. I dont' even see UserName in the field List.

It's gotta be something super dumb/simple I'm missing here.

Thanks in advance.

Tags (2)
0 Karma
Reply

cgkades
Explorer
‎07-02-2012 12:52 PM

Is there any way to have it auto look up the userid to username without having to manually create a table?

0 Karma
Reply

vshackler
New Member
‎06-29-2011 01:13 PM

I'm having the same problem as the original poster. The command

|inputlookup definition

returns my table. I'm still not seeing the new field as an available selection or filter in my searches, however.

0 Karma
Reply

ziegfried
Influencer
‎06-08-2011 02:07 PM

To validate that the lookup definition has been configured correctly, you can execute the following search:

| inputlookup UserLookup

This should give you the content of the lookup file in the search result.

Does this work?

0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎06-08-2011 02:03 PM

What happens when you do a search like "UserID=* | lookup UserLookup UserID OUTPUT Username"?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...