Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Automatic Lookups on Internal Index

jarrex
Explorer
‎07-31-2015 10:58 AM

Is the _internal index exempt from automatic lookups? I can't get any automatic lookups working on the index even with global permissions selected to work on the internal index, it works everywhere except there. Is there no way to do this?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-31-2015 12:10 PM

You have 2 problems; first you are swapping the lookup name and event name positions and you have extra spaces in your LOOKUP- name (or perhaps it was supposed to be a second input field and you forgot to use AS and put it in the wrong place?). I have made a guess how to fix everything below:

[splunk_web_access]
LOOKUP-AD = AD_User_List user AS cn OUTPUTNEW UserFullName AS FullName
[source::/opt/splunk/var/log/splunk/web_access.log]
LOOKUP-Lookup-AD_Source_Attempt = AD_User_List user AS cn OUTPUTNEW UserFullName AS FullName
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-31-2015 11:17 AM

Automatic looks on _internal are working fine for me. Post your props.conf so we can take a look.

0 Karma
Reply

jarrex
Explorer
‎07-31-2015 11:40 AM

bash-4.1$ cat props.conf
[_internal]

[splunkd*]

[splunk_web_access]
LOOKUP-AD = AD_User_List cn AS user OUTPUTNEW FullName AS UserFullName

[source::/opt/splunk/var/log/splunk/web_access.log]
LOOKUP-Lookup-AD Source Attempt = AD_User_List cn AS user OUTPUTNEW FullName AS UserFullName
bash-4.1$

0 Karma
Reply

jarrex
Explorer
‎07-31-2015 11:47 AM

It should probably also be noted that there are 2 doing the same query because I wasn't sure if there was an issue with the sourcetype. It did this back when I just was trying it on splunk_web_access

0 Karma
Reply

lguinn2
Legend
‎07-31-2015 11:11 AM

What sourcetype and fields are you using for the lookups?

0 Karma
Reply

jarrex
Explorer
‎07-31-2015 11:15 AM

I am using the user field and the sourcetype of splunk_web_access

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...