I am having some trouble with locating the lookup files, can some one please help me?
Just in case you aren't yet familiar with the interface, and are asking a much more basic question -
1) Near the top right of the splunk screen there is a drop-down called "settings". Underneath that, there is a selection "lookups". Click that, then you can see a lookup file list by app.
2) to test if the outputlookup file was really created and has anything in it, you can try something like this search
|inputlookup mylookupname | head 5
Hi skuma30,
File-based lookups are located in $Splunk_Home/etc/apps//lookups .
The lookup stanzas are defined in transforms.conf and props.conf.
Hope this helps. Thanks!
Hunter
Thanks for the reply....
From the outputlookup documentation page:
For CSV-based lookups, if the lookup file does not exist, it is created in the lookups directory of the current application. If the lookup file already exists, it is overwritten with the results of the outputlookup command.
So I would look at directory $SPLUNK_HOME/etc/apps/<<YourCurrentAppNameHere>>/lookups
.
Thanks for the reply......
If you are new, YourCurrentAppNameHere
is probably search
.