I have added a csv file of the top 1 million domains in /opt/splunk/etc/system/lookups and then added a transforms.conf pointed to that file but I don't see any proof that this is working - ive restarted Splunk as well as amending the props.conf (in local) to reflect the stanza I used in transforms. Any help in this area is appreciated. I am also trying to get the domains from Stream data.
follow these steps to create csv lookup to be globally available:
1. The CSV file must be located in $SPLUNK_HOME/etc/system/lookups
2. Add a CSV lookup stanza to transforms.conf: [<lookup_name>]: The name of the lookup table.
filename = : The name of the CSV file that the lookup references.
so it will look like for ex.: