Re: Where I can find the outputlookup files in the...

skuma30 · ‎01-18-2017

I am having some trouble with locating the lookup files, can some one please help me?

DalJeanis · ‎01-18-2017

Just in case you aren't yet familiar with the interface, and are asking a much more basic question -

1) Near the top right of the splunk screen there is a drop-down called "settings". Underneath that, there is a selection "lookups". Click that, then you can see a lookup file list by app.

2) to test if the outputlookup file was really created and has anything in it, you can try something like this search

|inputlookup mylookupname | head 5

hunters_splunk · ‎01-18-2017

Hi skuma30,

File-based lookups are located in $Splunk_Home/etc/apps//lookups .
The lookup stanzas are defined in transforms.conf and props.conf.

Hope this helps. Thanks!
Hunter

skuma30 · ‎01-18-2017

Thanks for the reply....

somesoni2 · ‎01-18-2017

From the outputlookup documentation page:

For CSV-based lookups, if the lookup file does not exist, it is created in the lookups directory of the current application. If the lookup file already exists, it is overwritten with the results of the outputlookup command.

So I would look at directory $SPLUNK_HOME/etc/apps/<<YourCurrentAppNameHere>>/lookups.

skuma30 · ‎01-18-2017

Thanks for the reply......

woodcock · ‎03-05-2017

If you are new, YourCurrentAppNameHere is probably search.

Where I can find the outputlookup files in the Splunk instance??

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann