Hi team, I already worked with the lookup feature of splunk, tables, definitions and automatic lookup, and is working correctly even though I create a script to use the inputlook command to automatically update the lookup table when it is needed. The csv file of the lookup table have the following structure: appid,appName
APP01729-af-ws.service,APP01729
APP01729-af-sch.service,APP01729
APP01729-af-wkr.service,APP01729 The idea with this lookup is to match the appid with one of the attributes that splunk have from a seach and then add the value of appName in the result of that search, for example: appid will match the values of systemd_unit with that match in that search will add the attribute appname with the value of appName of the lookup table That behavior is working with the values above, but when I try to create another lookup table and his definition with different values but matching the same attributes in splunk is not creating the new attribute in the search. I test that with this search: index=main_dev ...
| spath systemd_unit
| search systemd_unit="*container*"
| lookup appids_lookup appid as systemd_unit OUTPUTNEW appName Here the systemd_unit that try to match is everything that have 'container' in his name and then create a new attribute called appName with the value corresponding to the value of appName in the lookup table That doesn't work because the search for container and the corresponding lookup value in the lookup table is new. But the old values of the lookup table, I mean old values with values from other lookup tables that I use in the new lookup table it works correctly, creating the new attribute in the seach. My problem is do I need something else to do more than creating the lookup table, definition to make this works for new values?
... View more