All Apps and Add-ons
Highlighted

Can I add a csv lookup file to resolve IPs to domains in realtime?

Explorer

I have added a csv file of the top 1 million domains in /opt/splunk/etc/system/lookups and then added a transforms.conf pointed to that file but I don't see any proof that this is working - ive restarted Splunk as well as amending the props.conf (in local) to reflect the stanza I used in transforms. Any help in this area is appreciated. I am also trying to get the domains from Stream data.

0 Karma

Re: Can I add a csv lookup file to resolve IPs to domains in realtime?

Super Champion

follow these steps to create csv lookup to be globally available:
1. The CSV file must be located in $SPLUNK_HOME/etc/system/lookups
2. Add a CSV lookup stanza to transforms.conf:
[<lookup_name>]: The name of the lookup table.
filename = : The name of the CSV file that the lookup references.
so it will look like for ex.:

   [lookup_name]
   filename = filename.csv
  1. (Optional) Check permission in Settings > Lookups > Lookup table files
  2. Restart Splunk Enterprise to implement your changes.

Refer this: http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/ConfigureCSVlookups#Create_a_CSV_lookup
After lookup is set up run spl query: |inputlookup lookup_name.csv

View solution in original post

0 Karma