Splunk Search

Lookup Table Issues

Michael_Schyma1
Contributor

would inputs.csv be a better way to conduct this type of operation. Say i have 100 hosts comming in from my cmdb everyday and i want to run a report on 65 of thoese hostnames that are dynamic and are not going to be the same two days in a row. Is there a way to take the csv file that is going to be exported daily from my cmdb and then run it against a precreated report in splunk. This way i will not have to change the search query everyday and it will just run at a set time.

I have a lookup table that looks like this:
It is called host.csv

 hostname
    host1
    host2
    host3
    host4

I do not understand why i can not import the information using the UI. I keep on getting this error message:Encountered the following error while trying to save: In handler 'lookup-table-files': File is binary and not gzipped

Then when i change it to binary, it says the same thing only though backwards. Does anyone have any suggestions? I am trying to set a lookup table equal to host1 host2 host3 host4 and then when i call the table it will run against all of these hosts. Any help would be helpful. This is the first lookup table i have ever created.

Tags (2)
0 Karma

aakwah
Builder

This issue happened with me when I've a column that has German letters ü,ß,ä ...
after I removed this column from csv file it uploaded successfully

0 Karma

Michael_Schyma1
Contributor

would inputs.csv be a better way to conduct this type of operation. Say i have 100 hosts comming in from my cmdb everyday and i want to run a report on 65 of thoese hostnames that are dynamic and are not going to be the same two days in a row. Is there a way to take the csv file that is going to be exported daily from my cmdb and then run it against a precreated report in splunk. This way i will not have to change the search query everyday and it will just run at a set time.

0 Karma

JBarkerMox
Explorer

Also check to see that the file is saved in UTF-8 format.

ChrisG
Splunk Employee
Splunk Employee

This probably won't be the most helpful posting (sorry)...there was a previous Answer about this that points to (possibly hidden) special characters. Is that a possibility here? And I assume you are following the procedure in the documentation for doing lookups from a static file, and you've edited transforms.conf and props.conf and restarted Splunk?

Michael_Schyma1
Contributor

I am trying to edit the transforms and props.conf files, i am just not sure if this is possible to do. I just want to grab the information from those host1,2,3,4 and set it equal to hostname.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...