Hello,
I have setup a splunk free instance with DHCP, DNS (squid), and Firewall logs going in to it. I am trying to configure a lookup table to assist with resolving DNS names. I have tried and tried, but can not get this feature working. Here are the specifics:
csv file: splunk_lookup_home.csv (located in /opt/splunk/etc/system/lookups)
homeip,homename
192.168.0.1,testname
192.168.0.2,test2name
/opt/splunk/etc/system/local/transforms.conf
...
[lan_lookup]
filename = splunk_lookup_home.csv
/opt/splunk/etc/system/local/props.conf
...
[squid]
LOOKUP-lan = lan_lookup homeip OUTPUT homename
After I restart splunk I am not seeing the new field, homename. I have been following this guide, http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Addfieldsfromexternaldatasources. Even when I run the lookup from the search bar I am not getting the new fields
sourcetype="squid" | lookup lan_lookup homeip OUTPUT homenameI do see what looks to be a correct entry in the manager (Manager » Lookups » Automatic lookups). What am I forgetting to do? Is this a limitation of splunk free? Perhaps something with permissions? All the permissions are set to global.
sourcetype="squid" | lookup lan_lookup homeip as clientip OUTPUT homename as clientip
UPDATED: Fixed misspelled word (transforms.conf).
I ran the search as you recommended, but it states "No matching events found". The clientip field is being extracted by a regex in my transforms.conf file. When I run this command I get the desired results: sourcetype="squid" | top 10 clientip . Any other ideas? Thanks for the help.
you need to run this
sourcetype="squid" | lookup lan_lookup homeip as clientip
This will give you the result no need to mention the OUTPUT anymore. Valid point from AYN also don't see much of a mistake there..
What happens when you run the lookup, do you get any error messages? Because in your post I see you've used the name transform.conf
where it really should be transforms.conf
. I guess it very likely is a typo but just pointing it out just in case it isn't 🙂
EDIT: OK. Some more things to verify:
You have these different lookup commands:
sourcetype="squid" | lookup lan_lookup homeip OUTPUT homename
sourcetype="squid" | lookup lan_lookup homeip as clientip OUTPUT homename as clientip
In the first, the lookup will obviously only work if the field "homeip" really exists and has an IP address that the lookup finds a match for. Is this true in your case?
In the second, you're reading the field "clientip" and then also writing "clientip" (order in lookup "as" field naming is wildly confusing), not "homename". Are you checking for the results in the field "homename" or "clientip"?
Added some more things to troubleshoot.
Thanks for pointing that out. It is in fact a typo. I am using transforms.conf. When I run the search commands I am not getting any errors.