Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fields from external source

thepocketwade
Path Finder
‎03-30-2010 03:59 PM

I set up an external field lookup and got it working properly. Today I tried add a second. So far, I can only get one to work at a time (the last one listed in the props.conf file). I've switched the order of the stanzas and found that they each work but not together. Is there something that must be done to make them work together?

EDIT Here are the stanzas, with my machine name excised.

[$MyMachineName$]
LOOKUP-table = logs_per_day host OUTPUTNEW average_logs AS logs_per_day

[sendmail]
LOOKUP-table = location host OUTPUTNEW building AS location

Tags (1)
Reply

jrodman
Splunk Employee
Splunk Employee
‎04-16-2010 11:48 PM

If, as pdevlin guesses, you have one lookup attached to the host, and one lookup attached to the sourcetype, then the intersection of these will only perform ONE of these two lookups.

That is:

  • data that matches the host will get the host lookup.
  • data that matches the sourcetype will get the sourcetype lookup
  • data that matches both will only get the host lookup

This is by design. When you name your lookup "LOOKUP-table" you're essentially saying that this is the lookup which achieves some purpose or action described by "table". When you define it differently in different stanzas, this means that you wish the lookup to operate differently in different cases. Typically this is when you want the lookup to happen one way for most data (a default) but for some app, or some data source, etc you want to override how this is handled.

In your case, these lookups achieve different goals. One seems to be intended to determine something about logs per day, while the other seems to be something about location. You might want:

[host::machine_name]
LOOKUP-logsperday = logs_per_day host OUTPUTNEW average_logs AS logs_per_day

[sendmail]
LOOKUP-location = location host OUTPUTNEW building AS location

Now you have two different settings which are not intended to collide. You know more about what these lookups do, so you can probably give them more descriptive class names.

Reply

pdevlin
Explorer
‎04-02-2010 02:06 AM

My guess is that you need to add the host:: prefix to your "$MyMachineName$" stanza. It's not entirely clear but looks as if any stanza defined without a prefix is assumed to be a sourcetype. See props.conf.spec for more information.

Example:

[host::$MyMachineName$]

LOOKUP-table = logs_per_day host ....

[sendmail]

LOOKUP-table = location host ....

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-30-2010 05:58 PM

Could you post the stanzas please?

0 Karma
Reply

hulahoop
Splunk Employee
Splunk Employee
‎03-30-2010 05:36 PM

Are you trying to add a second for the same spec stanza? If so, make sure the class name is different.

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎04-02-2010 03:53 AM

The class name is how one stanza overrides the other. It's important to make sure that each distinct lookup has its own class name.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-30-2010 08:18 PM

class name shouldn't matter in two different stanzas, but I suspect if you make them different it will work fine. looks like a bug

0 Karma
Reply

thepocketwade
Path Finder
‎03-30-2010 05:55 PM

There are two different stanzas though, so does the class name matter?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...