Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why doesn't my new lookup field show up in search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I am trying to tie mac addresses to username based on DHCP data. I have followed all the online documentation but the new field is not showing up in the field picker in the search app. I have tried checking the permissions (they're correct) and restarting splunk to no effect. Here is a sample of the DHCP data:
Jul 26 15:27:42 130.184.6.37 Jul 26 15:27:42 130.184.251.34 dhcpd: DHCPACK on 172.17.158.212 to 00:0a:5e:02:c4:58 (NetworkJack) via eth0.158
Here is a sample of the lookup file and the relevant .conf bits:
**Lookup CSV:
in /opt/splunk/etc/apps/search/lookups/dhcpd_username.csv
src_mac,user
58:b0:35:fd:c8:d5,sean
**Transforms.conf
in /opt/splunk/etc/apps/search/local/transforms.conf
[dhcpd_username]
filename = dhcpd_username.csv
**Props.conf
in /opt/splunk/etc/apps/search/local/props.conf
[dhcpd_username]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user
And to get src_mac I am using the app Linux DHCP by araitz.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":
[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":
[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! That was it. I knew it had to be something simple. I think I was assuming that had to match the transforms.conf. Great!!
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
