Hi all,
I am struggling a bit with incorporating a lookup into my searches. I have a lookup file that is a single column of IP addresses and a header of TORIP. It should be a pretty basic search index=* src_ip=* followed by the lookup. I added the lookup file and lookup definition but when I run a search it fails saying the lookup table doesnt exist.
Thank you, I was able to figure out the issue. I failed to place an OUTPUT ofter defining the field so there was nothing for the search to look at. I fixed that and then added a search command to look for any of the IPs in the lookup command.
After uploading TORIP.csv, did you define a lookup with it? (C.f., Define a CSV lookup in Splunk Web.) When I use a file named "foo.csv", I usually name the lookup "foo" to remind me that it is a necessary step.
Is the lookup visible to the user and is it in the same app or global?
Thank you, I was able to figure out the issue. I failed to place an OUTPUT ofter defining the field so there was nothing for the search to look at. I fixed that and then added a search command to look for any of the IPs in the lookup command.