Splunk Search

Why doesn't my new lookup field show up in search?

Explorer

Hi, I am trying to tie mac addresses to username based on DHCP data. I have followed all the online documentation but the new field is not showing up in the field picker in the search app. I have tried checking the permissions (they're correct) and restarting splunk to no effect. Here is a sample of the DHCP data:

Jul 26 15:27:42 130.184.6.37 Jul 26 15:27:42 130.184.251.34 dhcpd: DHCPACK on 172.17.158.212 to 00:0a:5e:02:c4:58 (NetworkJack) via eth0.158

Here is a sample of the lookup file and the relevant .conf bits:

**Lookup CSV:
in /opt/splunk/etc/apps/search/lookups/dhcpd_username.csv

src_mac,user

58:b0:35:fd:c8:d5,sean

**Transforms.conf
in /opt/splunk/etc/apps/search/local/transforms.conf

[dhcpd_username]

filename = dhcpd_username.csv

**Props.conf
in /opt/splunk/etc/apps/search/local/props.conf

[dhcpd_username]

LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user

And to get src_mac I am using the app Linux DHCP by araitz.

Tags (1)
1 Solution

Legend

Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":

[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user

View solution in original post

Legend

Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":

[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user

View solution in original post

Explorer

Thanks! That was it. I knew it had to be something simple. I think I was assuming that had to match the transforms.conf. Great!!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!