Solved: Edit an Automatic Lookup - Page 2

zschmid · ‎02-10-2011

I have an automatic lookup in which i need to rename one of the lookup fields.

Right now whenever a search runs that has source="wsus" the automatic lookup correlates the hostname from the event with the hostname in the lookup file and adds both a business and sub_business field to the event. I need to rename the business field to "newbusiness", however in doing so, it seems as if the old automatic lookup field names are actually part of the event.

I was under the assumption that automatic lookups run at search time. Am I mistaken? Even after completely deleting the automatic lookup both the business, and sub_business fieldS still appear in the events, and if I try to rename the business field to newbusiness in the automatic lookup , when I run a search for source="wsus" it still returns only business and sub_business.

Any suggestions? Am I overlooking something? Your help is much appreciated.

Thanks!

zschmid · ‎02-15-2011

I figured out the solution to this problem.

When defining a source in an automatic lookup they are case sensitive. WSUS != wsus. I defined my automatic lookup to look for source=wsus when all my events were tagged with source=WSUS .

Somewhat of a minor annoyance and was a litle more of a headache to figure out than I would have liked.

I wish there was a little more consistency in the way that Splunk handles case sensitivity and this is a perfect example.

If from a splunk search I can search for sourec=wsus and it'll return something that is defined as source=WSUS, shouldn't the same logic apply to an automatic lookup?

Again, minor annoyance but hopefully this saves someone some time if you run into the same problem.

Thanks!

View solution in original post

Edit an Automatic Lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!