Splunk Search

Automatic lookup field not displayed

sc0tt
Builder

I created the below automatic lookup through Splunk 6 web.

app_info host AS host gate AS gate OUTPUTNEW app AS app 

If I use this lookup in a search it works as expected. However, when simply searching the source the output field is not displayed.

Am I missing something?

Tags (3)
0 Karma

aelliott
Motivator

I've found that the automatic lookups don't work with apps that they are not created under. Either 1 you will need to move the config settings to system, or 2 create the same lookup again for each app(and upload multiple csv files)

Here is some info on setting it up to be in system instead of a specific app:
http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Addfieldsfromexternaldatasources

jeremiahc4
Builder

Agreed, I just created my entire lookup (table, definition, and automatic lookup) in the app I want it in and it isn't showing the automatic lookup. Did you ever find an answer for this?

0 Karma

sc0tt
Builder

Thanks. I've done this but it still doesn't seem that it is working. I guess I need to look into this more and do some more testing.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...