I'm trying to understand what, exactly, lookup tables are. It seems like getwatchlist just populates Splunk like any other data import by outputting csv formatted data into Splunk. I didn't see anything in the code that mentioned lookup tables or even indexes.
So, the command is run, data changed to csv, and sent to Splunk. That's where I get a bit confused. What makes it a lookup table? Looking at the source, there is no transforms.conf, so I'm not even sure how the lookup table name is set. It would seem to be the Profile Name from the getwatchlists.conf.
Thanks!
... View more