Splunk Enterprise

lookups

VijaySrrie
Builder

Hi,

Under lookups we have lookups as below

lookups

abcd.csv

xyz.csv

I could see configs in props.conf to map to these lookups

props.conf

LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW field1,field2
LOOKUP-field3 = xyz_mapping field OUTPUTNEW field3

You can see  in props.conf, along with the first lookup name they have added _lookup (abcd_lookup) and along with the second lookup name they have added _mapping (xyz_mapping).

is this correct? 

 

Labels (2)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

View solution in original post

Tags (2)

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

Tags (2)

VijaySrrie
Builder

@venkatasri  you are correct.

So generally when we create lookups and use it for field extraction, do we need to write props.conf and transforms.conf?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  Transforms.conf is kind of one-time set-up to configure the lookup file and definition you don't need to do this everytime unless you want change original settings done by your admin/developer.

If you are going to use the existing lookup file, you mostly use props.conf to deployed to SH and it's not extraction i would say to enrich and create additional fields (OUTPUT, OUTPUTNEW). props.conf LOOKUP-<name > = something, is equivalent to using | lookup command in UI. Hence it depends where you want to code it in UI inline search or backend using props.conf. Hope this clarifies!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...