The unexpected behavior of inputlookup command.Is ...

Shuhei052492 · ‎07-04-2018

Hi splunk professionals,

I see a unexpected behavior about inputlookup command in ver 7.1.1.
The detail of unexpected behavior is below.

">>>>>Expected behavior<<<<<"
I have many csv files like ABC.csv,XYZ.csv,DDD.csv.
I run inputlookup command to show XYZ.csv and can see the content of XYZ.csv

SPL: |inputlookup XYZ.csv
Command result: the content of XYZ.csv

">>>>>Happening unexpected behavior<<<<<"
I have many csv files like ABC.csv,XYZ.csv,DDD.csv.........etc.
I ran inputlookup command to show XYZ.csv, and inputlookup comand worked naturally.
But the result of command was ABC.csv's result.

SPL: |inputlookup ABC.csv
Command result: the content of ABC.csv

After that, I tried running the another csv file with inputlookup command.But the result of command returned still ABC.csv's result.

After investigation, I understand the cause that there was a the wrong setting in transforms.conf.
Transforms.conf had the wrong setting which was to lack a front bracket of stanza.

Like this,

DDD_lookup]
filename = DDD.csv

If transforms.conf had the wrong setting, inputlookup command showed another csv result naturally without error messages.

I wonder that this behaviour is a unknown bug.
Also I did not understand thant Splunk worked naturally and did not return any error messages when I ran inputlookup command.

If someone knew that this is known issue, please let me know the document.

Any reply and opinion will be appreciated.

Best regard,

janispelss · ‎07-04-2018

While this behavior maybe isn't optimal, it's not completely unexpected.

Because the lines with stanza names didn't have the opening square bracket, they weren't correctly recognized as the beginning of a new stanza, and since there aren't any transforms.conf settings with that name, those lines were simply ignored. This caused all the filename lines to be added to the previous stanza. I assume in your transforms.conf there weren't any previous stanzas, so the filename parameters were outside of any stanzas, which made them part of the default stanza. And since the default stanza now had multiple filename parameters, Splunk just used the last one.

So in the end, using the inputlookup command with any unconfigured lookup names, returned the default lookup. In fact you could have used any random string of characters as the lookup name, and it would still return the contents of ABC.csv.

Shuhei052492 · ‎07-05-2018

Hi janispelss,

Thank you for your message.
I have almost same opinion.

By the way, I have a question about the following message.
"using the inputlookup command with any unconfigured lookup names, returned the default lookup."

I would like to know how Splunk determines the default lookup which is shown first when there is some bad settings in transforms.conf.
If you know it or have an idea, please share your knowledge.

janispelss · ‎07-10-2018

Usually there isn't any default lookup, unless you set one up in either the [default] stanza or outside of any stanza. In your case, since the stanza names were missing the opening "[", all the "filename = something.csv" configurations were considered to be outside of any stanza.

And when a stanza has the same attribute configured multiple times ("filename" in your case), the last one is used.

The unexpected behavior of inputlookup command.Is it a unknown bug?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM