Splunk Search

Why doesn't my new lookup field show up in search?

Explorer

Hi, I am trying to tie mac addresses to username based on DHCP data. I have followed all the online documentation but the new field is not showing up in the field picker in the search app. I have tried checking the permissions (they're correct) and restarting splunk to no effect. Here is a sample of the DHCP data:

Jul 26 15:27:42 130.184.6.37 Jul 26 15:27:42 130.184.251.34 dhcpd: DHCPACK on 172.17.158.212 to 00:0a:5e:02:c4:58 (NetworkJack) via eth0.158

Here is a sample of the lookup file and the relevant .conf bits:

**Lookup CSV:
in /opt/splunk/etc/apps/search/lookups/dhcpd_username.csv

src_mac,user

58:b0:35:fd:c8:d5,sean

**Transforms.conf
in /opt/splunk/etc/apps/search/local/transforms.conf

[dhcpd_username]

filename = dhcpd_username.csv

**Props.conf
in /opt/splunk/etc/apps/search/local/props.conf

[dhcpd_username]

LOOKUP-user = dhcpdusername srcmac OUTPUTNEW user

And to get src_mac I am using the app Linux DHCP by araitz.

Tags (1)
1 Solution

Legend

Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":

[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user

View solution in original post

Legend

Is the sourcetype for these events really "dhcpd_username"? The stanza in props.conf says it is but my guess is that the sourcetype is something else - in that case you need to change props.conf to reflect that. So for instance if sourcetype for these events is "dhcp":

[dhcp]
LOOKUP-user = dhcpd_username src_mac OUTPUTNEW user

View solution in original post

Explorer

Thanks! That was it. I knew it had to be something simple. I think I was assuming that had to match the transforms.conf. Great!!

0 Karma