Splunk Search

Can't get lookups to work

timmy13
Communicator

I am just using some test data that I generated to try to get lookups to work.

First, my log (completely manually generated and meaningless) file looks like this....

TimeDate:201108034352 USERID:100002 PRODUCTION:71

TimeDate:201105014327 USERID:100001 PRODUCTION:37

TimeDate:201112014446 USERID:100002 PRODUCTION:92

TimeDate:201107060448 USERID:100003 PRODUCTION:14

There are about 10000 lines.
I've extracted the USERID: value to a field called UserID

My lookup table, super simple, looks like this....

UserID,Username

100000,Elvis Presley

100001,Jim Morrison

100002,Jimi Hendrix

100003,Janis Joplin

This is uploaded, and location defined in the Manager/Lookups/Lookup Table Files, and Called UserFile

The Lookup is define in Manager/Lookups/Lookup Definitions, Named UserLookup, Type is filebased, and Lookup File is UserTable.

Finally, under Manager/Lookups/Automatic Lookups, I created an automatic lookup named Username Lookup. The Lookup Table is UserLookup. The input field is UserID=UserID, and the output field is Username=Username.

Obviously, the object here is to autolookup the Name field based on the UserID Field. But, it doesn't work. I dont' even see UserName in the field List.

It's gotta be something super dumb/simple I'm missing here.

Thanks in advance.

Tags (2)
0 Karma

cgkades
Explorer

Is there any way to have it auto look up the userid to username without having to manually create a table?

0 Karma

vshackler
New Member

I'm having the same problem as the original poster. The command

|inputlookup definition

returns my table. I'm still not seeing the new field as an available selection or filter in my searches, however.

0 Karma

ziegfried
Influencer

To validate that the lookup definition has been configured correctly, you can execute the following search:

| inputlookup UserLookup

This should give you the content of the lookup file in the search result.

Does this work?

0 Karma

mw
Splunk Employee
Splunk Employee

What happens when you do a search like "UserID=* | lookup UserLookup UserID OUTPUT Username"?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...