Lookups in Manager can I add multiple sourcetypes ...

dcroteau · ‎05-14-2010

From the Doc:

Edit existing automatic lookups or configure a new lookup to run automatically

Instead of invoking the lookup command when you want to apply a fields lookup to your events, you can set the lookup to run automatically. Use the Manager > Lookups > Automatic lookups page to edit or configure automatic lookups:

Select the lookup table file that you want use in your fields lookup.
Select a host, source, or sourcetype value to apply the lookup.

If I want to apply it to multipe sourcetypes can I add them seperated by a comma?

Lowell · ‎05-14-2010

Nope. You have to do this for each entry manually.

Of course, if you set this up via the props.conf conf file, that simply means coping a single line to different stanzas. You may be able to match a couple at once by using a source pattern, but as far as I know, you can't do pattern matching with the sourcetypes.

Also keep in mind that you can use the lookup command too. I'm not sure what your use case is, but your trying to do a search that has multiple sourcetypes and you want to do the same lookup for all of them, then using the lookup command is probably your best approach. Especially is this is not a lookup that you will need all the time -- keep in mind that adding automatic lookups can have a performance penalty on regular searches.

sideview · ‎05-19-2010

If it plays nice with sourcetype aliases you could maybe alias all the sourcetypes to sourcetype=autoLookupEnabled and then use that as the single sourcetype in the autolookup stanza. Kind of a big if though.

Lookups in Manager can I add multiple sourcetypes to the automatic lookup

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!