Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the inputlookup not returning any records?

putrtek
New Member
‎02-11-2018 08:52 AM

I'm running Splunk Enterprise v7.01 running on Server 2012 R2
Lookups are not working in the Search App or in the Home Monitor App

Following the online Tutorial, I downloaded the sample data from Splunk.
I created a lookup table called prices using the prices.csv included in the download

Sample CSV data looks like this:

productId,product_name,price,sale_price,Code
DB-SG-G01,Mediocre Kingdoms,24.99,19.99,A
DC-SG-G02,Dream Crusher,39.99,24.99,B
FS-SG-G03,Final Sequel,24.99,16.99,C
WC-SH-G04,World of Cheese,24.99,19.99,D

I set the permissions on the prices.csv file to Everyone Read/Write All Apps
I configured a Lookup Definition prices_lookup pointing to the prices.csv file

props.conf 

[prices_lookup]
batch_index_query = 0
case_sensitive_match = 1
filename = prices.csv

To test my lookup I run the following Query:

'inputlookup prices' also tried 'inputlookup prices_lookup' and 'inputlookup prices.csv'

All of these queries return no records

What am I doing wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-11-2018 09:56 AM

When you ran inputlookup prices did your search look exactly like that?

inputlookup is a generating command, and thus must have a leading |:

| inputlookup prices_lookup

As to which names you can use for the lookup, your transform is named prices_lookup, and your csv is named prices.csv, so either of these would work:

| inputlookup prices_lookup
| inputlookup prices.csv

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-11-2018 09:56 AM

When you ran inputlookup prices did your search look exactly like that?

inputlookup is a generating command, and thus must have a leading |:

| inputlookup prices_lookup

As to which names you can use for the lookup, your transform is named prices_lookup, and your csv is named prices.csv, so either of these would work:

| inputlookup prices_lookup
| inputlookup prices.csv

Reply
Solved! Jump to solution

putrtek
New Member
‎02-11-2018 12:43 PM

Thank You for the full explanation. Adding the leading pipe did work. I'm getting data back. Thanks

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-11-2018 09:54 AM

I'm guessing you forgot the leading pipe to run a non-search command: | inputlookup prices_lookup

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...