- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- lookup is not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lookup is not working
I am doing it using GUI as i dont have server access.
I have lookup file serverrole.csv
host,role,environment
A,X,prod
Lookup file is located :/splunk/etc/apps/mysearch /lookups/serverroles.csv
Lookup definition is created : serverrole_lookup in supported fields it shows : host,role,environment
Automatic lookup : serverrole_lookup host AS host OUTPUT environment AS env host AS host role AS role for sourcetype: perfmon:processor
When I do search as : |inputllookup serverrole.csv it shows lookup file contents.
But when I do search as : sourcetype=perfmon:processor | lookup serverroles.csv host,role OUTPUT host,role I am not getting role, environment fields in "Intresting fields" or "Selected fields" or in "Events"..
I want search to work if i search : sourcetype=perfmon:processor| where role=X
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your Lookup definition is "serverrole_lookup" then you should use as follows:
*** base search | lookup serverrole_lookup host as host1 OUTPUT environment as env, role as myRole***
where
host field is in lookup table whereas host1 is an extracted field
environment is in lookup table whereas env is random name you choose for field to show up as interesting field
role is in lookup table whereas myRole is random name you choose for field to show up as interesting field
In case of automatic lookup defined (if done correctly) you can use the output fields (environment and role) directly like:
*** base search | stats count by environment, role****
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply..Using 1st I am getting results but I am not able to see env and role in my fields.. Any thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
interesting fields by default will come if they span 20% event coverage.
Click at All fields (just top right to Selected fields). which opens the field selector and checkbox the fields specifically as all fields should be present there.
Up vote if u think it works. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done, but still unable to find them.. If they are not in events will they not show up?? How to add them in events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firstly if the events don't have the data u r looking for then why will the fields show up, as if it were to be then by that logic all the fields which are in "search x" should show up in "search y" as "search y" doesn't have any event from "search x" and yet is supposed to show them.
In short no event data, so no fields for that data.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
