Could anyone please let me clear with the following basic questions?
 1. What is the difference between output and outputnew in lookup?
 2. lookup status_desc status OUTPUT description 
    Here status represent the field in events?
    description is the new field going to be add based on status rite?
And Im getting the following error while Im working with lookup
"Could not find all of the specified destination fiels in the lookup table for conf '(?::){0}PerfmonMk*:*' and lookup table test_lkup"
And initially I haven't give global permission to lookup. Will it cause any issue?
Now I have removed all the things. Eventhough Im getting the error ??
props.conf
[default]
LOOKUP-test_lkup = test_lkup sourcetype OUTPUT flag
transforms.conf
[test_lkup]
filename = test_lkup.csv
test_lkup.csv
sourcetype,flag
A,true
B,true
C,true
Thanks in advance.
The answer to your two numbered questions is: Yes, stats represents the field in the event, and description will be the new field generated. The difference between OUTPUT and OUTPUTNEW is if the description field already exists in your event, OUTPUT will overwrite it and OUTPUTNEW won't.
As for the rest of it, my recommendations would be:
default is a valid sourcetype in your data (if it's a host, source or rule, the syntax is different, check http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for details).LOOKUP-test_lkup is confusing things. The string after LOOKUP- is supposed to be a unique literal, and test_lkup is used elsewhere for other things. Try LOOKUP-random and see whether that helps.Good luck.
The answer to your two numbered questions is: Yes, stats represents the field in the event, and description will be the new field generated. The difference between OUTPUT and OUTPUTNEW is if the description field already exists in your event, OUTPUT will overwrite it and OUTPUTNEW won't.
As for the rest of it, my recommendations would be:
default is a valid sourcetype in your data (if it's a host, source or rule, the syntax is different, check http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for details).LOOKUP-test_lkup is confusing things. The string after LOOKUP- is supposed to be a unique literal, and test_lkup is used elsewhere for other things. Try LOOKUP-random and see whether that helps.Good luck.
