Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk not finding all events based on a field in a lookup file?

dbcase
Motivator
‎12-07-2016 02:11 PM

Hi,

I have a lookup file that looks like this (filename=12-07-16_CPEs.csv)

Cpe_ID
9c97265f6d0f
5898353e54ab
589835fe2726
5898353e6030
589835401594
9c9726adfbfe
9c972687d783
9c9726ec2bd9
9c9726ae14e2
589835feacf6
9c9726efaacb
c4ea1d2e7d4d
c4ea1d87340d
0876ff27acb2
58983540131f
9c972687aef3
9c9726ec1cfe

And a search that looks like this

index=cox SingleDeviceDebugger|rex "CpeId:\s(?<cpeid>\S+)"|search  [| inputlookup 12-07-16_CPEs.csv | fields Cpe_ID | rename Cpe_ID as cpeid ]|sort cpeid|reverse|dedup cpeid|table cpeid

When the search runs, it only returns data that looks like the below, even though there are events that match other CPE IDs (see below query and results). What am I doing wrong?

cpeid
9c9726eedf22
9c9726eed8de
9c9726eec0f9
9c9726ee2d66
9c9726ed6a6f
9c9726ed6371
9c9726ed5732
9c9726ed4c6b
9c9726ed2b8f
9c9726ec2bd9

Search to verify that other CPEs do exist.

index=cox SingleDeviceDebugger 5898353e54ab

    96 events   (12/6/16 4:08:20.000 AM to 12/7/16 4:08:20.000 PM)

####<Dec 6, 2016 5:10:04 PM EST> <Debug> <ucontrol> <ccivirpxa0705.ABCcompany.com> <managedServer06> <client-6> <<anonymous>> <> <> <1481062204898> <BEA-000000> <fn.util.SingleDeviceDebugger  - CpeId: 5898353e54ab :: SENT SMAP packet 
<iq uri="/event/cameraMotion" type="result" id="1467295471" to="6344@xmpp/5898353e54ab">
  <smap xmlns="http://ucontrol.com/smap/v2">
    <eventResponse>
      <id>1868330717</id>
      <cpeGenId>6344.1467295471</cpeGenId>
    </eventResponse>
  </smap>
</iq>>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dbcase
Motivator
‎12-07-2016 02:41 PM

Found it! Apparently when creating the input lookup file (using Excel in this case) you MUST use MS-DOS Comma Separated format

Other CSV formats listed in Excel give.... well unpredictable results....

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dbcase
Motivator
‎12-07-2016 02:41 PM

Found it! Apparently when creating the input lookup file (using Excel in this case) you MUST use MS-DOS Comma Separated format

Other CSV formats listed in Excel give.... well unpredictable results....

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...