I have an automatic lookup in which i need to rename one of the lookup fields.
Right now whenever a search runs that has source="wsus" the automatic lookup correlates the hostname from the event with the hostname in the lookup file and adds both a business and sub_business field to the event. I need to rename the business field to "newbusiness", however in doing so, it seems as if the old automatic lookup field names are actually part of the event.
I was under the assumption that automatic lookups run at search time. Am I mistaken? Even after completely deleting the automatic lookup both the business, and sub_business fieldS still appear in the events, and if I try to rename the business field to newbusiness in the automatic lookup , when I run a search for source="wsus" it still returns only business and sub_business.
Any suggestions? Am I overlooking something? Your help is much appreciated.
Lookups only run at search time, so if the fields are getting looked up and added to the event, it seems like there's some configuration problem, perhaps in a different app or a private user context.
Note that a lookup can be configured to output the field names differently from what's in the file, e.g.:
LOOKUP-1 = mylookup infield1 OUTPUT filefieldname AS displayfieldname file2 AS displayfield2
Thanks for your quick response. Do have any suggestions where to begin troubleshooting a configuration issue?
I understand that I can rename the output field names differently than what is in the file, however this doesnt really seem to be the issue. Regardless of what I put only the original field names appear.
I should also note that this is source="wsus" is in a summary index, but I figured that shouldn't make a difference.
When troubleshooting configuration changes that don't seem to apply, I'm a big fan of frequent restarts and (on linux) "cd /opt/splunk/etc && grep -R subbusiness" or (on windows) "cd c:\Program Files\Splunk\etc && findstr /snip subbusiness ."
Thanks. I've restarted a few times but nothing seem to took. Gkanapathy - to answer your question, yes this is running in a distributed environment.
A few more findings. After doing some investigating I've realized i'm actually running the automatic lookup on sourcetype (not source), which means it's running the lookup on the scheduled searches prior to inserting them into the summary index. That explains the stored fields.
However my question remains, Can you run an automatic lookup on a summary index? I've created a new automatic lookup with source=wsus but when i run it on the summary index, no fields are added to the events.
I guess you could run a lookup on a summary index, but the "source" is the name of the job that inserted the data, and that's probably what you need to base it on.
I'll continue to poke around and see if I find anything. Just to confirm the job name is indeed WSUS and it's displaying as source=wsus (and returning) events in the summary index