Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

difference betwen output and outputnew in splunk lookup

splunkn
Communicator
‎09-05-2014 04:40 AM

Could anyone please let me clear with the following basic questions?
1. What is the difference between output and outputnew in lookup?
2. lookup status_desc status OUTPUT description
Here status represent the field in events?
description is the new field going to be add based on status rite?

And Im getting the following error while Im working with lookup
"Could not find all of the specified destination fiels in the lookup table for conf '(?::){0}PerfmonMk*:*' and lookup table test_lkup"

And initially I haven't give global permission to lookup. Will it cause any issue?
Now I have removed all the things. Eventhough Im getting the error ??

props.conf
[default]
LOOKUP-test_lkup = test_lkup sourcetype OUTPUT flag

transforms.conf
[test_lkup]
filename = test_lkup.csv

test_lkup.csv
sourcetype,flag
A,true
B,true
C,true

Thanks in advance.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎09-05-2014 05:53 AM

The answer to your two numbered questions is: Yes, stats represents the field in the event, and description will be the new field generated. The difference between OUTPUT and OUTPUTNEW is if the description field already exists in your event, OUTPUT will overwrite it and OUTPUTNEW won't.

As for the rest of it, my recommendations would be:

  1. Give global permission to everything first, get everything to work, and then change the permissions and see what breaks.
  2. Make sure that default is a valid sourcetype in your data (if it's a host, source or rule, the syntax is different, check http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for details).
  3. I wonder whether the name LOOKUP-test_lkup is confusing things. The string after LOOKUP- is supposed to be a unique literal, and test_lkup is used elsewhere for other things. Try LOOKUP-random and see whether that helps.

Good luck.

View solution in original post

Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎09-05-2014 05:53 AM

The answer to your two numbered questions is: Yes, stats represents the field in the event, and description will be the new field generated. The difference between OUTPUT and OUTPUTNEW is if the description field already exists in your event, OUTPUT will overwrite it and OUTPUTNEW won't.

As for the rest of it, my recommendations would be:

  1. Give global permission to everything first, get everything to work, and then change the permissions and see what breaks.
  2. Make sure that default is a valid sourcetype in your data (if it's a host, source or rule, the syntax is different, check http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for details).
  3. I wonder whether the name LOOKUP-test_lkup is confusing things. The string after LOOKUP- is supposed to be a unique literal, and test_lkup is used elsewhere for other things. Try LOOKUP-random and see whether that helps.

Good luck.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...