Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Creating an Automatic Lookup that applies to all hosts/sources/sourcetypes.

Ricapar
Communicator
‎05-30-2013 02:08 PM

I have a lookup table that I generate as a CSV dump of one of our databases. The database contains a list of all our hostnames, the host's role (dev, prod, etc), and who it belongs to.

The lookup table matches on the host field of an event.

I have the automatic lookup table working right now, but only for a single sourcetype. It works for other sourcetypes if I manually specify the |lookup command in the search.

Is it possible to create an automatic lookup that applies to every event, regardless of host, source, sourcetype, etc? Ideally I'd like to never have to use the |lookup command in order to see those extra columns displayed by default.

0 Karma
Reply

Ayn
Legend
‎05-30-2013 02:24 PM

Sure. Just use the [default] stanza in props.conf.

[default]
LOOKUP-yourlookup = yourlookupdefinition
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...