Where do the automatic lookups reside?

ddrillic · ‎11-17-2017

We have a couple of automatic lookups and I don't see them in the SH under /opt/splunk/etc/apps/<app_name>/lookups

Where are they? ; - ) the process which generates them seemed to stop today.

elliotproebstel · ‎11-17-2017

Are the lookups file-based? Try looking in Settings > Lookups > Lookup Definitions. When you identify the row with the lookup in question, notice the Type column; if it's a kvstore, then the data lives in a database and won't be in a file on the file system. If the Type is file, then look at the Lookup file and App columns - the name of the app should plug into the file path you specified above. If it's not, then take a look at the Sharing field. If the lookup is Private, then it will be inside the user directory of the user who created the lookup.

ddrillic · ‎11-17-2017

Great, but we don't see the definitions of the Automatic lookups within the Lookup definitions.

elliotproebstel · ‎11-17-2017

Ah, sure. There is one more step you need. Go to Settings > Lookups > Automatic lookups. Locate the lookup in question, and make note of the defined lookup it is using. For example, here is a line from my Automatic lookups:

DhcpSrvLog : LOOKUP-signature_for_microsoft_dhcp   msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature     No owner     Splunk_TA_windows_default_disabled     Global | Permissions  Enabled Clone

In this case, the name of the lookup is msdchp_signature_lookup; it will always be the first word (or series of words, connected with underscores) in the second column. This is the name of the defined lookup that the automatic lookup uses. You can follow the steps from my first answer to track backwards with this defined lookup name.

Where do the automatic lookups reside?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life