Quick question, in Manager » Lookups » Automatic lookups » Add New
on Apply to drop down box, we can select from SOurcetype, source, or host.
If I choose any of the choices, can I put * on the sourcetype field. The reason is the lookup table that I created meant for any sourcetype, and any host those are currently indexed by my SPlunk.
I tried before it wouldn't do the trick. If possible, do I need to put other character value?
Please advise on this
The UI will create a stanza which did not work in my testing.
## props.conf [*] LOOKUP-all_test = my_test_lookup sourcetype OUTPUTNEW foo
If you want this lookup to be global I would recommend specifying this property in props.conf without a stanza:
## props.conf LOOKUP-all_test = my_test_lookup sourcetype OUTPUTNEW foo
Based on a similar Q/A it is also possible use wildcards in sourcetype
Just need to select HOST as Apply To and * in named field as below while
Lookups » Automatic lookups » Add new
No need to edit Props.conf gile
Neeraj Singh Dhapola