Splunk Search

Not getting field automatically from lookup table


I have a file: racf_username.csv located in /opt/splunk/etc/system/lookups which looks like;
A123456,A Name
B123456, Another Name
As regards permissions, the table is updated nightly from a server and shows No Owner and the app being System.
Everyone can read but only admin can write.

In transforms.conf located in /opt/splunk/etc/system/local is the following:

In props.conf located in /opt/splunk/etc/system/local is the following:
LOOKUP_racftousernames = racf_username racf OUTPUT username

However, a simple search such as:
sourcetype="MySourceType" | table racf, username does not display any usernames

If instead I use:
sourcetype="MySourceType" | lookup racf_username racf OUTPUT username | table racf, username
then everything works fine. I just don't get the automatically filled in username field.

Any idea how to get this to work automatically?

Tags (1)
0 Karma

Esteemed Legend

Actually, the correct thing to do is to move it all (inputs.conf, props.conf, transforms.conf) into your own app in a location like:


You can modify it afterwards to give it global app permissions so it works everywhere.

0 Karma


I redid everything using the web interface instead of editing the files directly and it worked for User admin and App search. And it worked in search. I then changed the permissions to make sharing global and it worked for a regular user logon in App search.

I tested it in a couple of dashboards and it seems to work for all users and perhaps all apps. But the props.conf and transforms.conf files are in the directory /opt/splunk/etc/apps/search/local. I don't understand how other apps are able to work when these conf files are in this directory. It seems to me that they should be in the directory listed in my original post, namely /opt/splunk/etc/system/local to be non app specific as opposed to being in the search app directory.

0 Karma


I think you want to replace the underscore in props.conf with a hyphen. It should be LOOKUP-racftousernames not LOOKUP_racftousernames.

0 Karma


Changing the underscore to a hyphen made no difference.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...