- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Use search results to populate a lookup table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use search results to populate a lookup table
I am following the directions on http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addfieldsfromexternaldatasources#Use_sea...
I edited my savedsearches.conf as directed, but the CSV file is not being created. How can I troubleshoot this problem?
etc/apps/search/local/savedsearches.conf:
[Service Now assets]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
action.populate_lookup = 1
action.populate_lookup.dest = etc/system/lookups/service_now_assets.csv
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = 0 18 * * *
description = ServiceNow assets
display.events.fields = ["sourcetype","Message_Name","source","Message_Info","Message_Title","Server","msg","Server"]
display.events.type = table
display.visualizations.charting.chart = area
display.visualizations.show = 0
enableSched = 1
quantity = 5000
relation = less than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
run_on_startup = false
search = index=service_now source=service_now earliest=-1d
etc/system/local/transforms.conf:
[service_now_asset]
filename = etc/system/lookups/service_now_assets.csv
case_sensitive_match = false
etc/system/local/props.conf:
[asset_properties]
LOOKUP-servicenow = service_now_asset Server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this seems silly but every time I use a construct referring to a file location that is relative to $SPLUNK_HOME, I have used /etc/... instead of etc/.... I know the documentation says the latter but I would add a slash to the beginning and see if it fixes it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I removed the path entirely and Splunk was able to find the CSV correctly! Running the saved search does not update the CSV, but at least the lookup part is working...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep playing with different variations on the path and I think you will get it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paste your savedsearches.conf stanza; there is probably a typo.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you restart Splunk after editing savedsearches.conf? What were your edits?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes I have restarted. I posted the relevant sections from my config files
Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...
IM Landing Page Filter - Now Available
Dynamic Links from Alerts to IM Navigators - New in Observability Cloud
