- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why isn't my dynamic lookup returning a value?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been staring at this problem for eons but I'm stuck.
I have two dynamic lookups.
- volumeCheck (external lookup), fields defined=ip, volumes, vrank Result; volumeCheck always return vrank=UNK . I expect vrank to be GREEN or AMBER
- top10InboundPortProtocol (external lookup), fields defined=port,protocol,rank Result: returns GREEN, AMBER or RED (works)
I checked the logs and I can see that volumeCheck is returning on the stdout RED or GREEN but on splunk search, it is showing vrank=UNK. I can't see any exception or error in splunkd.log
FYI, i set in the dynamic lookup, minimum matches=1, Default matches to UNK
I have done many dynamic lookups but this one stumped me.
FYI my splunk search:
index="flowintegrator" src_port=21 |eval thisUser=src_ip + "_"+ dest_ip | bucket _time span=1d | eval diff= floor((now() - _time)/86400) |eval diff="row"+diff | chart avg(bytes) over thisUser by diff|eval row1=if(isnull(row1), 0, floor(row1))| eval row2=if(isnull(row2), 0, floor(row2))|eval row3=if(isnull(row3), 0, floor(row3))|eval row4=if(isnull(row4), 0, floor(row4))|eval row5=if(isnull(row5), 0, floor(row5))|eval row6=if(isnull(row6), 0, floor(row6))|eval volumes=row1+";"+row2+";"+row3+";"+row4+";"+row5+";"+row6|**lookup volumeCheck ip as thisUser, volumes OUTPUT vrank**
Help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i found the problem. My mistake.
Details
splunk matches the fields from the dynamic lookup.
if the fields to the dynamic lookup is 127.0.0.1_127.0.0.2, \"1;2;3;4;5;6\"
the dynamic lookup must return these two fields.
127.0.0.1_127.0.0.2, \"1;2;3;4;5;6\", RED
Previously, I was returning 127.0.0.1_127.0.0.2, 3, RED // i.e. column 2 does not match the input fields.
hope this helps anyone who is doing dynamic lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i found the problem. My mistake.
Details
splunk matches the fields from the dynamic lookup.
if the fields to the dynamic lookup is 127.0.0.1_127.0.0.2, \"1;2;3;4;5;6\"
the dynamic lookup must return these two fields.
127.0.0.1_127.0.0.2, \"1;2;3;4;5;6\", RED
Previously, I was returning 127.0.0.1_127.0.0.2, 3, RED // i.e. column 2 does not match the input fields.
hope this helps anyone who is doing dynamic lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@erickyi - Thanks for posting your solution for others to benefit from. Please accept your answer so that the problem will show as closed.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
