Splunk Enterprise

lookups

VijaySrrie
Builder

Hi,

Under lookups we have lookups as below

lookups

abcd.csv

xyz.csv

I could see configs in props.conf to map to these lookups

props.conf

LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW field1,field2
LOOKUP-field3 = xyz_mapping field OUTPUTNEW field3

You can see  in props.conf, along with the first lookup name they have added _lookup (abcd_lookup) and along with the second lookup name they have added _mapping (xyz_mapping).

is this correct? 

 

Labels (2)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

View solution in original post

Tags (2)

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

Tags (2)

VijaySrrie
Builder

@venkatasri  you are correct.

So generally when we create lookups and use it for field extraction, do we need to write props.conf and transforms.conf?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  Transforms.conf is kind of one-time set-up to configure the lookup file and definition you don't need to do this everytime unless you want change original settings done by your admin/developer.

If you are going to use the existing lookup file, you mostly use props.conf to deployed to SH and it's not extraction i would say to enrich and create additional fields (OUTPUT, OUTPUTNEW). props.conf LOOKUP-<name > = something, is equivalent to using | lookup command in UI. Hence it depends where you want to code it in UI inline search or backend using props.conf. Hope this clarifies!

Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...