Solved: Re: Lookup is not working!

changwoo · ‎01-13-2014

i tried this tutorial

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchTutorial/Usefieldlookups

Upload a look-up file
define the field look-up

this two works great

but! when i tried automatic lookup i doesn't work

i tried to search for sourcetype=access_*

shows that there is no matching result

and the permission is "all app"

movielookup.csv struture is like

movieId, movieName, movieGenre
1, Toy Story (1995), Animation

and where is transforms.conf ?

mattness · ‎01-14-2014

Well, I'd start troubleshooting this by answering these questions:

Is the movieId field in your data currently? Is it extracted as movieId and not something else (for example: MovieID or movieID or movie_id)? Lookups are case-sensitive, so this is important. If the fieldname is constructed differently, go back to the automatic lookup definition and change the lookup input field so it says (for example) MovieID = movieId.
If the movieId field is in your data and it is constructed correctly in your automatic lookup definition, have you verified that the events that contain it have the source type access_combined_wcookie? If not, what sourcetype value do these events have? If it isn't access_combined_wcookie go back to the automatic lookup definition and put in the correct source type. (Note that you can also group by host or source.)

If the answer to both of these questions is "yes" then we'll have to go to inquiry stage two. But let's get the easy stuff sorted out first.

As for the transforms.conf file, you can find it in $SPLUNK_HOME/etc/system/local/. You can find more information about editing lookup configurations in .conf files here. But I would advise that we ensure that we can't fix the problem through the Settings pages before moving on to the .conf file configurations.

View solution in original post

mattness · ‎01-14-2014

Well, I'd start troubleshooting this by answering these questions:

Is the movieId field in your data currently? Is it extracted as movieId and not something else (for example: MovieID or movieID or movie_id)? Lookups are case-sensitive, so this is important. If the fieldname is constructed differently, go back to the automatic lookup definition and change the lookup input field so it says (for example) MovieID = movieId.
If the movieId field is in your data and it is constructed correctly in your automatic lookup definition, have you verified that the events that contain it have the source type access_combined_wcookie? If not, what sourcetype value do these events have? If it isn't access_combined_wcookie go back to the automatic lookup definition and put in the correct source type. (Note that you can also group by host or source.)

If the answer to both of these questions is "yes" then we'll have to go to inquiry stage two. But let's get the easy stuff sorted out first.

As for the transforms.conf file, you can find it in $SPLUNK_HOME/etc/system/local/. You can find more information about editing lookup configurations in .conf files here. But I would advise that we ensure that we can't fix the problem through the Settings pages before moving on to the .conf file configurations.

changwoo · ‎01-14-2014

this help me a lot!

what i was trying to do works great!

It was a hard work because all field was scrambled :<

Lookup is not working!

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio