×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Gravoc
Observer
Member since: ‎09-25-2024
‎09-26-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-25-2024
Activity Feed
Topics I've Started
View All

Re: Splunk Cloud: Lookups

by in Splunk Search
‎09-26-2024 12:28 AM
‎09-26-2024 12:28 AM
Hi @gcusello, thanks for giving this quick reply.   I checked the filename either manually and second time by using the following command: | inputlookup ldap_users.csv   This returns the lookup as expected. I can see and edit my lookup with the lookup editor app. I also created an Lookup definition and set the permissions on both the lookup and the lookup definition to global read. I also use the lookup in my Enterprise Security Asset Management - and there it works flawlessly.   However, I managed to just utilize the merged identity lookup that Enterprise Security creates. It is not the solution to the original problem - but solves my usecase.   So for me the solution is to just utlitze another lookup: index=main source_type=some_event_related_to_users | lookup identity_lookup_expanded identity as src_user   ... View more

Splunk Cloud: Lookups

by in Splunk Search
‎09-25-2024 08:38 AM
‎09-25-2024 08:38 AM
Hi Splunk Experts, I hope to get a quick hint on my issue. I have a Splunk Cloud setup with two search heads, one of which is dedicated to Enterprise Security. I have different lookups on this search head containing, e.g., all user attributes. I wanted to enhance a specific search using the lookup command as described in the documentation. Additionally, I can access and view the lookup with the inputlookup command, confirming the file’s existence and proper permissions on the search head. The search I have trouble with (simplified):   index=main source_type=some_event_related_to_users | lookup ldap_users.csv identity as src_user   However, this search instantaneously fails with:   [idx-[...].splunkcloud.com,idx-[...].splunkcloud.com,idx-[...].splunkcloud.com] The lookup table 'ldap_users.csv' does not exist or is not available.     I must confess I am rather new to Splunk and even newer to running a Splunk cluster. So I do not really understand why my indexers are looking for the file in the first place. I assumed that the search head would handle the lookup. In addition, as I am a Splunk Cloud customer, I don’t have access to the indexers anyway. Can someone give me a pointer on how to achieve such a query in a Splunk Cloud Environment? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-26-2024 03:34 AM