Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why doesn't my new lookup field show up in search?

sab057
Explorer
‎07-26-2011 01:47 PM

Hi, I am trying to tie mac addresses to username based on DHCP data. I have followed all the online documentation but the new field is not showing up in the field picker in the search app. I have tried checking the permissions (they're correct) and restarting splunk to no effect. Here is a sample of the DHCP data:

Jul 26 15:27:42 130.184.6.37 Jul 26 15:27:42 130.184.251.34 dhcpd: DHCPACK on 172.17.158.212 to 00:0a:5e:02:c4:58 (NetworkJack) via eth0.158

Here is a sample of the lookup file and the relevant .conf bits:

**Lookup CSV:
in /opt/splunk/etc/apps/search/lookups/dhcpd_username.csv

src_mac,user

58:b0:35:fd:c8:d5,sean

**Transforms.conf
in /opt/splunk/etc/apps/search/local/transforms.conf

[dhcpd_username]

filename = dhcpd_username.csv

**Props.conf
in /opt/splunk/etc/apps/search/local/props.conf

[dhcpd_username]

LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user

And to get src_mac I am using the app Linux DHCP by araitz.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-26-2011 02:23 PM

Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":

[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-26-2011 02:23 PM

Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":

[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user
Reply
Solved! Jump to solution

sab057
Explorer
‎07-26-2011 02:45 PM

Thanks! That was it. I knew it had to be something simple. I think I was assuming that had to match the transforms.conf. Great!!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...