Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a global field for an indexed data using automatic lookup?

sushree1234
Explorer
‎09-02-2022 09:35 AM

Hi All , 
 

So i was trying to create an global field for a newly indexed data , so trying out with automatic lookup settings .
Ex- in the indexed data - datacenter name is not mentioned , so wanted to populate it using automatic lookup . I am able to do that , but for only 1 sourcetype , i have 100+ sourcetypes , is there any way to define apply to - sourcetype/hosts to multiple one . Please let me know .

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-03-2022 07:48 AM

https://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf

[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of
  different <spec>.
* Follow this stanza name with any number of the following setting/value
  pairs, as appropriate for what you want to do.
* If you do not set a setting for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an
                 event.
3. source::<source>, where <source> is the source, or source-matching
                     pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type
                     classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed
                            source type classification rule.
                            These are only considered as a last resort
                            before generating a new source type based on the
                            source seen.

**[<spec>] stanza precedence:**

For settings that are specified in multiple categories of matching [<spec>]
stanzas, [host::<host>] settings override [<sourcetype>] settings.
Additionally, [source::<source>] settings override both [host::<host>]
and [<sourcetype>] settings.
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎09-03-2022 12:31 AM

Take a look at doing that in props.conf:

https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Makeyourlookupautomatic#Create_an...

Reply

sushree1234
Explorer
‎09-06-2022 03:44 AM

can i get a example for props.conf & transforms.conf for multiple host automatic lookup setup

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...