Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

New field added to lookup table not displaying

johnboldt
Explorer
‎04-28-2011 10:24 AM

I'm adding a new field to an existing lookup table but it's not showing up in any searches. These are the steps I followed:

  • Added the new field to the existing lookup .csv file
  • Added the new column to the application props.conf LOOKUP
  • Restarted splunkd

The existing lookup fields are still showing up in searches, but not the new field. Am I missing a step?

csv (Dependent_Service_Call_Group is the new field)

ElapsedMetricDescription,Dependent_Service_Call,Dependent_Service_Call_Group,Target_Response_Time_At_90th,Planned_Throughput
CDB Call [CPSDRVRA] Response time:,CDB Call,Checkout,500,12000  
Standardize Address Request. Response time:,Standardize Address,Checkout,500,5000

Transforms.conf:

[Dependent_Service_Metrics_NFR_Targets]
filename = Dependent_Service_Metrics_NFR_Targets.csv

props.conf:

LOOKUP-Dependent_Service_Metrics_NFR_Targets = Dependent_Service_Metrics_NFR_Targets ElapsedMetricDescription AS ElapsedMetricDescription OUTPUTNEW Dependent_Service_Call AS Dependent_Service_Call Dependent_Service_Call_Group AS Dependent_Service_Call_Group Planned_Throughput AS Planned_Throughput Target_Response_Time_At_90th AS Target_Response_Time_At_90th
Tags (3)
0 Karma
Reply

hazekamp
Builder
‎04-28-2011 10:32 AM

John,

There could be a number of reasons for this, including OUTPUT vs. OUTPUTNEW. Can you post a few lines of your csv, your props, and an example event?

David

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...