Splunk Search
Highlighted

Lookup Table for all Sourcetype

Explorer

Hi All,

Quick question, in Manager » Lookups » Automatic lookups » Add New
on Apply to drop down box, we can select from SOurcetype, source, or host.
If I choose any of the choices, can I put * on the sourcetype field. The reason is the lookup table that I created meant for any sourcetype, and any host those are currently indexed by my SPlunk.
I tried before it wouldn't do the trick. If possible, do I need to put other character value?

Please advise on this

Thanks

Tags (1)
0 Karma
Highlighted

Re: Lookup Table for all Sourcetype

Builder

The UI will create a stanza which did not work in my testing.

## props.conf
[*]
LOOKUP-all_test = my_test_lookup sourcetype OUTPUTNEW foo

If you want this lookup to be global I would recommend specifying this property in props.conf without a stanza:

## props.conf
LOOKUP-all_test = my_test_lookup sourcetype OUTPUTNEW foo

Based on a similar Q/A it is also possible use wildcards in sourcetype for props.conf if you don't want to make the lookup global: wildcards in sourcetypes.conf

View solution in original post

Highlighted

Re: Lookup Table for all Sourcetype

Communicator

A cleaner method may be using [host:*] stanza header.

0 Karma
Highlighted

Re: Lookup Table for all Sourcetype

Engager

I also accomplished similar using [default] as the stanza header.

Highlighted

Re: Lookup Table for all Sourcetype

Explorer

Thanks It works. Just delete the [*] and put on top of the props.conf.

Thanks again

0 Karma
Highlighted

Re: Lookup Table for all Sourcetype

Path Finder

Just need to select HOST as Apply To and * in named field as below while
Lookups » Automatic lookups » Add new

No need to edit Props.conf gile

Thanks
Neeraj Singh Dhapola

0 Karma