Splunk Enterprise

lookups

VijaySrrie
Builder

Hi,

Under lookups we have lookups as below

lookups

abcd.csv

xyz.csv

I could see configs in props.conf to map to these lookups

props.conf

LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW field1,field2
LOOKUP-field3 = xyz_mapping field OUTPUTNEW field3

You can see  in props.conf, along with the first lookup name they have added _lookup (abcd_lookup) and along with the second lookup name they have added _mapping (xyz_mapping).

is this correct? 

 

Labels (2)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

View solution in original post

Tags (2)

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

Tags (2)

VijaySrrie
Builder

@venkatasri  you are correct.

So generally when we create lookups and use it for field extraction, do we need to write props.conf and transforms.conf?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  Transforms.conf is kind of one-time set-up to configure the lookup file and definition you don't need to do this everytime unless you want change original settings done by your admin/developer.

If you are going to use the existing lookup file, you mostly use props.conf to deployed to SH and it's not extraction i would say to enrich and create additional fields (OUTPUT, OUTPUTNEW). props.conf LOOKUP-<name > = something, is equivalent to using | lookup command in UI. Hence it depends where you want to code it in UI inline search or backend using props.conf. Hope this clarifies!

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...