Splunk Search
Highlighted

Not getting field automatically from lookup table

Contributor

I have a file: racf_username.csv located in /opt/splunk/etc/system/lookups which looks like;
racf,username
A123456,A Name
B123456, Another Name
.
.
As regards permissions, the table is updated nightly from a server and shows No Owner and the app being System.
Everyone can read but only admin can write.

In transforms.conf located in /opt/splunk/etc/system/local is the following:
[racfusername]
filename=racf
username.csv
maxmatches=1
min
matches=1
default_match=Unknown

In props.conf located in /opt/splunk/etc/system/local is the following:
[sourcetype::MySourceType]
LOOKUPracftousernames = racfusername racf OUTPUT username

However, a simple search such as:
sourcetype="MySourceType" | table racf, username does not display any usernames

If instead I use:
sourcetype="MySourceType" | lookup racf_username racf OUTPUT username | table racf, username
then everything works fine. I just don't get the automatically filled in username field.

Any idea how to get this to work automatically?

Tags (1)
0 Karma
Highlighted

Re: Not getting field automatically from lookup table

Motivator

I think you want to replace the underscore in props.conf with a hyphen. It should be LOOKUP-racftousernames not LOOKUP_racftousernames.

0 Karma
Highlighted

Re: Not getting field automatically from lookup table

Contributor

Changing the underscore to a hyphen made no difference.

0 Karma
Highlighted

Re: Not getting field automatically from lookup table

Contributor

I redid everything using the web interface instead of editing the files directly and it worked for User admin and App search. And it worked in search. I then changed the permissions to make sharing global and it worked for a regular user logon in App search.

I tested it in a couple of dashboards and it seems to work for all users and perhaps all apps. But the props.conf and transforms.conf files are in the directory /opt/splunk/etc/apps/search/local. I don't understand how other apps are able to work when these conf files are in this directory. It seems to me that they should be in the directory listed in my original post, namely /opt/splunk/etc/system/local to be non app specific as opposed to being in the search app directory.

0 Karma
Highlighted

Re: Not getting field automatically from lookup table

Esteemed Legend

Actually, the correct thing to do is to move it all (inputs.conf, props.conf, transforms.conf) into your own app in a location like:

$SPLUNK_HOME/etc/apps/MyApp/default

You can modify it afterwards to give it global app permissions so it works everywhere.

0 Karma