We have a couple of automatic lookups and I don't see them in the SH under /opt/splunk/etc/apps/<app_name>/lookups
Where are they? ; - ) the process which generates them seemed to stop today.
Are the lookups file-based? Try looking in Settings > Lookups > Lookup Definitions
. When you identify the row with the lookup in question, notice the Type
column; if it's a kvstore, then the data lives in a database and won't be in a file on the file system. If the Type
is file, then look at the Lookup file
and App
columns - the name of the app should plug into the file path you specified above. If it's not, then take a look at the Sharing
field. If the lookup is Private, then it will be inside the user directory of the user who created the lookup.
Great, but we don't see the definitions of the Automatic lookups within the Lookup definitions.
Ah, sure. There is one more step you need. Go to Settings > Lookups > Automatic lookups
. Locate the lookup in question, and make note of the defined lookup it is using. For example, here is a line from my Automatic lookups:
DhcpSrvLog : LOOKUP-signature_for_microsoft_dhcp msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature No owner Splunk_TA_windows_default_disabled Global | Permissions Enabled Clone
In this case, the name of the lookup is msdchp_signature_lookup
; it will always be the first word (or series of words, connected with underscores) in the second column. This is the name of the defined lookup that the automatic lookup uses. You can follow the steps from my first answer to track backwards with this defined lookup name.