Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

lookups

VijaySrrie
Builder
‎07-14-2021 08:07 PM

Hi,

Under lookups we have lookups as below

lookups

abcd.csv

xyz.csv

I could see configs in props.conf to map to these lookups

props.conf

LOOKUP-field1-field2 = abcd_lookup field OUTPUTNEW field1,field2
LOOKUP-field3 = xyz_mapping field OUTPUTNEW field3

You can see  in props.conf, along with the first lookup name they have added _lookup (abcd_lookup) and along with the second lookup name they have added _mapping (xyz_mapping).

is this correct? 

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-14-2021 08:28 PM

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

View solution in original post

Tags (2)
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-14-2021 08:28 PM

Hi @VijaySrrie 

If i understand correctly, There are two key items w.r.t lookups , in lookup definition name of lookup in your case xyz_mapping, abcd_lookup and files with extension .csv are the original file having data.

You should be able to find same in transforms.conf as below, then it must be right.. you can test same with | inputlook abcd_lookup , | inputlookup xyz_mapping under the app scope they have been configured.

[abcd_lookup]
filename = abcd.csv
[xyz_mapping]
filename = xyz.csv

  ---

An upvote would be appreciated and Accept solution if this reply helps!

 

Tags (2)
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎07-14-2021 08:39 PM

@venkatasri  you are correct.

So generally when we create lookups and use it for field extraction, do we need to write props.conf and transforms.conf?

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎07-14-2021 08:49 PM

@VijaySrrie  Transforms.conf is kind of one-time set-up to configure the lookup file and definition you don't need to do this everytime unless you want change original settings done by your admin/developer.

If you are going to use the existing lookup file, you mostly use props.conf to deployed to SH and it's not extraction i would say to enrich and create additional fields (OUTPUT, OUTPUTNEW). props.conf LOOKUP-<name > = something, is equivalent to using | lookup command in UI. Hence it depends where you want to code it in UI inline search or backend using props.conf. Hope this clarifies!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...