Solved: Why is Splunk Cloud Lookup Outputting empty values...

paras · ‎07-21-2023

I have a lookup that is mapping action, category, attributes and more fields for windows event codes. However for each event code not all the column have values.

EventCode, action, category, attr, .....

1,allow,,xyx,,,

2,fail,firewall,,....

When I add this to the transforms and props.conf and deploy it out to splunk cloud it is creating fields even when it is empty for that match.

Is there a way to make sure that the null values are not getting outputted using props and transforms.conf ?

richgalloway · ‎07-24-2023

The settings look good to me. Consider opening a support request.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-24-2023

Please share the props and transforms as well as the SPL you're using to access the lookup.

---
If this reply helps you, Karma would be appreciated.

paras · ‎07-24-2023

In transforms.conf

[bv_windows_mapping]
filename =bv_windows_mapping.csv
max_matches = 1
min_matches = 1

In props.conf

LOOKUP-bv_windows_mapping =bv_windows_mapping EventCode OUTPUTNEW action, category, attr

richgalloway · ‎07-24-2023

The settings look good to me. Consider opening a support request.

---
If this reply helps you, Karma would be appreciated.

Why is Splunk Cloud Lookup Outputting empty values?

other

splunk-assist

troubleshooting

using Splunk Enterprise

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!