Splunk Search

Splunk Free v.5.0.4 Static Lookups Not Working

bradp123
Path Finder

Hello,

I have setup a splunk free instance with DHCP, DNS (squid), and Firewall logs going in to it. I am trying to configure a lookup table to assist with resolving DNS names. I have tried and tried, but can not get this feature working. Here are the specifics:


csv file: splunk_lookup_home.csv (located in /opt/splunk/etc/system/lookups)
homeip,homename
192.168.0.1,testname
192.168.0.2,test2name

/opt/splunk/etc/system/local/transforms.conf
...
[lan_lookup]
filename = splunk_lookup_home.csv

/opt/splunk/etc/system/local/props.conf
...
[squid]
LOOKUP-lan = lan_lookup homeip OUTPUT homename

After I restart splunk I am not seeing the new field, homename. I have been following this guide, http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Addfieldsfromexternaldatasources. Even when I run the lookup from the search bar I am not getting the new fields

sourcetype="squid" | lookup lan_lookup homeip OUTPUT homename
sourcetype="squid" | lookup lan_lookup homeip as clientip OUTPUT homename as clientip
I do see what looks to be a correct entry in the manager (Manager » Lookups » Automatic lookups). What am I forgetting to do? Is this a limitation of splunk free? Perhaps something with permissions? All the permissions are set to global.

UPDATED: Fixed misspelled word (transforms.conf).

Tags (2)
0 Karma

bradp123
Path Finder

I ran the search as you recommended, but it states "No matching events found". The clientip field is being extracted by a regex in my transforms.conf file. When I run this command I get the desired results: sourcetype="squid" | top 10 clientip . Any other ideas? Thanks for the help.

0 Karma

linu1988
Champion

you need to run this

sourcetype="squid" | lookup lan_lookup homeip as clientip

This will give you the result no need to mention the OUTPUT anymore. Valid point from AYN also don't see much of a mistake there..

0 Karma

Ayn
Legend

What happens when you run the lookup, do you get any error messages? Because in your post I see you've used the name transform.conf where it really should be transforms.conf. I guess it very likely is a typo but just pointing it out just in case it isn't 🙂

EDIT: OK. Some more things to verify:

You have these different lookup commands:

sourcetype="squid" | lookup lan_lookup homeip OUTPUT homename
sourcetype="squid" | lookup lan_lookup homeip as clientip OUTPUT homename as clientip

In the first, the lookup will obviously only work if the field "homeip" really exists and has an IP address that the lookup finds a match for. Is this true in your case?

In the second, you're reading the field "clientip" and then also writing "clientip" (order in lookup "as" field naming is wildly confusing), not "homename". Are you checking for the results in the field "homename" or "clientip"?

Ayn
Legend

Added some more things to troubleshoot.

0 Karma

bradp123
Path Finder

Thanks for pointing that out. It is in fact a typo. I am using transforms.conf. When I run the search commands I am not getting any errors.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...