Splunk Enterprise

lookups

VijaySrrie
Builder

Hi,

Under lookups we have lookups as below

lookups

abcd.csv

xyz.csv

I could see configs in props.conf to map to these lookups

props.conf

LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW field1,field2
LOOKUP-field3 = xyz_mapping field OUTPUTNEW field3

You can see  in props.conf, along with the first lookup name they have added _lookup (abcd_lookup) and along with the second lookup name they have added _mapping (xyz_mapping).

is this correct? 

 

Labels (2)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

View solution in original post

Tags (2)

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

Tags (2)

VijaySrrie
Builder

@venkatasri  you are correct.

So generally when we create lookups and use it for field extraction, do we need to write props.conf and transforms.conf?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  Transforms.conf is kind of one-time set-up to configure the lookup file and definition you don't need to do this everytime unless you want change original settings done by your admin/developer.

If you are going to use the existing lookup file, you mostly use props.conf to deployed to SH and it's not extraction i would say to enrich and create additional fields (OUTPUT, OUTPUTNEW). props.conf LOOKUP-<name > = something, is equivalent to using | lookup command in UI. Hence it depends where you want to code it in UI inline search or backend using props.conf. Hope this clarifies!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...