Solved: inputlookup error "line endings"

mikefoti · ‎12-28-2011

I’m trying to troubleshoot my use of “inputlookup”.

First I verify the following search works:

index=ca cert_RN=”Retail\S0002K02$”

It returns 2 records as expected.

I then create the inputlookup file

“C:\Program Files\Splunk\etc\apps\search\lookups\AccountNames.csv”

with only 2 lines (w/o the space between them):

cert_RN

Retail\S0002K02$

I then try this search:

index=ca [inputlookup AccountNames.csv | fields + cert_RN]

I get the following error:

[subsearch]: Lookup file 'C:\Program Files\Splunk\etc\apps\search\lookups\AccountNames.csv' may use mac-style line endings, which are unsupported.

MHibbin · ‎12-28-2011

I'm guessing you are editing this csv file on an MS OS, which editor are you using?.. Have you tried using wordpad/notepad to create your csv file? (Make sure that you save the file with the encoding utf-8 (I'm sure it doesn't matter with lookups, but Splunk prefers utf-8))..

However, I think your main issue is that your csv file only has one column (in the documentation, it mentions this and the utf-8 formatting). When I produce a csv which only has one column, I will typically produce a referencing column (which I normally call "match"), of which all the values in subsequent rows are "1"... e.g.. for your example...

match,cert_RN
1,Retail\S0002K02$
1,Retail\S1234A12$

n.b. the last line is added for effect

Then when you try the following search (with nothing before the "pipe")...

| inputlookup AccountNames.csv

Do you see the contents of the file?

After you have verified you results you could do a lookup on the match column outputting the field desired (note: you will need to include an "|eval match=1|" before doing the input lookup.

Hope this helps,

Regards,

MHibbin

View solution in original post

rrovers · ‎10-18-2017

open the document in textwrangler
choose
- 'save'
- linebreaks 'windows (crlf)
- encoding unicode (utf8)

MHibbin · ‎12-28-2011

I'm guessing you are editing this csv file on an MS OS, which editor are you using?.. Have you tried using wordpad/notepad to create your csv file? (Make sure that you save the file with the encoding utf-8 (I'm sure it doesn't matter with lookups, but Splunk prefers utf-8))..

However, I think your main issue is that your csv file only has one column (in the documentation, it mentions this and the utf-8 formatting). When I produce a csv which only has one column, I will typically produce a referencing column (which I normally call "match"), of which all the values in subsequent rows are "1"... e.g.. for your example...

match,cert_RN
1,Retail\S0002K02$
1,Retail\S1234A12$

n.b. the last line is added for effect

Then when you try the following search (with nothing before the "pipe")...

| inputlookup AccountNames.csv

Do you see the contents of the file?

After you have verified you results you could do a lookup on the match column outputting the field desired (note: you will need to include an "|eval match=1|" before doing the input lookup.

Hope this helps,

Regards,

MHibbin

MHibbin · ‎12-28-2011

Mikefoti,

That's good news. Good luck.

Regards,

MHibbin

saurabh_tek · ‎10-11-2016

@MHibbin Thanks

mikefoti · ‎12-28-2011

MHibbin, My mistake. Your suggestions worked perfectly. My input file was at fault. Once I replaced my doulde-backslash with a single baclslash, everything fell into place

mikefoti · ‎12-28-2011

Thank you MHibbin.
After adding the match column and saving as UTF-8, I do indeed get results from this search
|inputlookup AcctNames.csv

But this search yeilds no results:
index=ca [inputlookup AcctNames.csv |eval match=1|fields cert_RN]

inputlookup error "line endings"

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!