I have a file: racf_username.csv located in /opt/splunk/etc/system/lookups which looks like;
B123456, Another Name
As regards permissions, the table is updated nightly from a server and shows No Owner and the app being System.
Everyone can read but only admin can write.
In transforms.conf located in /opt/splunk/etc/system/local is the following:
In props.conf located in /opt/splunk/etc/system/local is the following:
LOOKUPracftousernames = racfusername racf OUTPUT username
However, a simple search such as:
sourcetype="MySourceType" | table racf, username does not display any usernames
If instead I use:
sourcetype="MySourceType" | lookup racf_username racf OUTPUT username | table racf, username
then everything works fine. I just don't get the automatically filled in username field.
Any idea how to get this to work automatically?
I think you want to replace the underscore in props.conf with a hyphen. It should be
I redid everything using the web interface instead of editing the files directly and it worked for User admin and App search. And it worked in search. I then changed the permissions to make sharing global and it worked for a regular user logon in App search.
I tested it in a couple of dashboards and it seems to work for all users and perhaps all apps. But the props.conf and transforms.conf files are in the directory /opt/splunk/etc/apps/search/local. I don't understand how other apps are able to work when these conf files are in this directory. It seems to me that they should be in the directory listed in my original post, namely /opt/splunk/etc/system/local to be non app specific as opposed to being in the search app directory.
Actually, the correct thing to do is to move it all (inputs.conf, props.conf, transforms.conf) into your own app in a location like:
You can modify it afterwards to give it global app permissions so it works everywhere.