I have a lookup with a field "description". I would like a pulldown menu to populate with all of the values in the description field from my lookup file. The menu populates if I use a search that DOESN'T use a lookup field so it is functional in that aspect. However I can't seem to get this to work and I've tried a few searches already. The Pulldown menu is just full of "No Values Found". So far I tried: | inputlookup WAT_Lookups.csv | fields description | dedup description sourcetype=EPPWEB WAT | fields description | dedup description Both of these searches, when done manually in search, show the description field and values in this field. Why they aren't populating the menu I'm not sure yet. Any ideas here? Also the funny thing is, even though the pulldown menu will have "no values found" about 15 times, if I click on my search button on my form, everything works, all my graphs and tables load and the "description" field resolves and shows results. ? Just can't get it in the pulldown menu. full code here http://pastebin.com/0fYa7LcK ... View more

I've followed http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups and looked at plenty of questions about the same topic on here and I still can't figure out what I'm doing wrong with my automatic lookup. I also watched a video on this but it didn't really show how the lookup was created. Here's my csv file I want to use for a file based lookup: gnovak@booberry:cat WAT_Lookups.csv "filename,description" "Invoice.pdf,Billing Invoice" "Statement.pdf,Billing Statement" "text.txt,Billing text" "*-*.pdf,Scorecard" For Lookup Table Files I selected this csv and gave it the same name for Destination filename. For Lookup Definitions, destination app is "search", name is "WAT_Lookups.csv", type is "file based", and the lookup file is "WAT_Lookups.csv". For Automatic Lookups, I have the following Lookup Table: WAT_Lookups Lookup input fields - filename = filename Lookup Output fields - description = description Apply to : sourcetype named EPPWEB I have checked my props.conf and transforms.conf files after configuring all of this and there are entires in there. I also made sure the permissions on these were all Everyone can Read, Admin can write for only the search app which is where this is located. When I do a search for sourcetype=EPPWEB, I get the following error: [log1.blahblahblah.info] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::EPPWEB' and lookup table 'WAT_Lookups' [log2.blahblahblah.info] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::EPPWEB' and lookup table 'WAT_Lookups' I just can't seem to get it to work. Basically the end result is, for example, a filename called Invoice.pdf to be otherwise known as "Billing Invoice". NOTE: I already have "filename" as a field extracted through props.conf. So under the field filename you have some files listed like text.text, Invoice.pdf, etc. I'm not sure if this in doing anything w/ the lookup. ... View more

I originally asked this question here: http://splunk-base.splunk.com/answers/55254/rename-values-extracted-into-field This was regarding renaming values that were extracted into a field to something different. Example: -filename=statement.pdf I'd like statement.pdf to be known as "Scorecard". The solution before was to use EVAL for this but the issue with that is that using eval will only single out those values you choose to rename in the command itself. It will only display those that were renamed and all other filenames were not listed. I'm wondering if you can use transforms.conf for this instead. I'd like to have basically a list of where I have something like: statement.pdf = Scorecard invoice.pdf = Billing ImHungry.pdf = Lunch Anyone have any ideas to throw around with this one? I'm lookinng at transforms.conf in the admin manual but figured I'd also ask this here. I was also told to maybe try lookups. ... View more