Splunk Search

External file lookup is failing, possible due to a "/" character in the lookup fields.

martinpugh
Explorer

Hi all,

I'm having trouble getting an external file lookup to work in the Search app. I've setup a number of these previously and have had no issues but this one is failing and I can't seem to work out why. The props.conf and transforms.conf seem OK as if I add some dummy data I get the results I'm looking for but with the live data it's failing. I have a feeling it's because of the "/" characters in the initial lookup. Below is a sample of the lookup file :-

port,device

GigabitEthernet1/0/1,Server1

GigabitEthernet1/0/2,Server2

GigabitEthernet1/0/3,Server3

GigabitEthernet1/0/4,Server4

GigabitEthernet1/0/5,Server5

GigabitEthernet1/0/6,Server6

GigabitEthernet1/0/7,Server7

Can anyone confirm and let me know if there's any way I can work around this?

Thanks,

Martin

Tags (1)
0 Karma

Drainy
Champion

All you need to do is ensure they're enclosed within speech marks, e.g.

"GigabitEthernet1/0/1",Server1
"GigabitEthernet1/0/2",Server2

martinpugh
Explorer

Thanks for the feedback guys. Still struggling even with the quotes around the text. I don't get any errors, just no results. I've tried a few variations of quotes too, singles and double.

0 Karma

cramasta
Builder

You can replace the / character in your field if you want to test it out. One way you can do this is by using the eval mvsplit command to turn that field into a multi-valued field and then use the eval mvzip to put it back together with a new character to replace the /. Then just update your lookup to replace the / character as well.

I do however have a lookup with a / and it works.

cramasta
Builder

I have a lookup that uses / within the field that I am looking up and it works.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...