Yes, you can! When I did it, I defined the fields in the csv file with matching names, to avoid having to rename fields. I also created the definitions in order. First I created the lookup that used a field from the event to match a field in lookup table A. Then I defined a second lookup, which used the field name that was created in lookup table A to find a field in lookup table B. In other words
Event field X -> Lookup Table A field Y -> Lookup Table B field Z LookupTable A has 2 fields: X,Y Lookup Table B has 2 fields: Y,Z
After the automatic lookups were set up, fields X, Y and Z were all available in the field picker.
I don't know if order matters in the configuration files for lookups, but it might. I'd also be careful that you have 1-to-1 matching; this might not work with a 1-to-many match.
This doesn't seem to work. Here's the way I configured it, maybe you can tell me where I went wrong.
I have two .csv files,
user_lookup (referencing the first .csv) containing a column with
Department. The second,
DivDept corresponds to values from
Department and vice versa. The first lookup works, as the
Department field shows up properly in my searches.
First lookup I used was:
WinEventLog:Security : LOOKUP-user_department_lookup user_lookup UserID AS Account_Name OUTPUTNEW Department AS Department
Then I set up the second lookup:
WinEventLog:Security : LOOKUP-map_dept_to_divdept department_lookup DivDept AS Department OUTPUTNEW DivisionDepartmentName AS DivDept
But no matter how I rearrange this, I can only get the first lookup to work. As it is, it doesn't throw an error, but the second lookup isn't producing any new fields. I also tried mapping the second lookup to overwrite the fields produced by the first, but that didn't work either. Suggestions?
Find the props.conf file that contains the lookups you have configured. Look at hazekamp's answer below. Note the numbers in the LOOLIP-xx entries. Name your first lookup: LOOKUP-0userdepartmentlookup. Name the second on: LOOKUP-1mapdeptto_divdept.
I think Splunk runs your lookups in the wrong order because "mapdept..." comes before "userdep..." in the ASCII sort.
Also, you use DivDept twice in the second lookup. That might also be a problem; shouldn't it be
LOOKUP-mapdepttodivdept departmentlookup Department AS Department OUTPUTNEW DivisionDepartmentName AS DivDept
I agree with lguinn, below are my lookup setting in props.conf , I am sure they works :
LOOKUP1 = servicetree SERVICEID AS LOGPAGE HANDSETTYPE as Platform OUTPUT NAME AS SERVICENAMEL10, PARENTID AS SERVICEPARENTIDL9
LOOKUP2 = servicetree SERVICEID as SERVICEPARENTIDL9 HANDSETTYPE as Platform OUTPUT NAME as SERVICENAMEL9, PARENTID as SERVICEPARENTIDL8
LOOKUP3 = servicetree SERVICEID as SERVICEPARENTIDL8 HANDSETTYPE as Platform OUTPUT NAME as SERVICENAMEL8, PARENTID as SERVICEPARENTIDL7
This can easily be done via props.conf, but it is imperative that the lookups are run in the proper order. The easiest way to make sure they are run in the proper order is to use alphanumeric precedence via property names:
## props.conf LOOKUP-0first_lookup = my_first_lookup A OUTPUT B LOOKUP-1second_lookup = my_second_lookup B OUTPUT C
I thought that Splunk would do the lookups in a particular order, but I didn't have time to research it.
Thanks for explaining this.
Looks like that solved everything. Seems the items in the config file are handled alphabetically, not based on the order they appear in the file.
That is almost correct - they are handled in ASCII order, so watch out for case --upper case sorts ahead of lowercase.
When order of processing is important, I always number the lookups.