Hi
I have separate machines for a Search Head and Indexer. In Splunk Web on the Search Head, I went through the different steps as shown in the Splunk tutorial to define automatic lookup based on a single lookup table uploaded as .csv file.
For example, lets assume, I have city_code, city_name in the csv file.
In my events for different sourcetypes, I have the city_code field (named in different ways depending on the sourcetype). All I need is for Splunk to look for this field "city_code" and then output the field "city_name" in the matching events.
I only did the config on Search Head as my web interface is disabled on the Indexer.
Its not working at all. Is there some manual steps I need to follow like manually editing transforms.conf file?
-Olavo
... View more