Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Free v.5.0.4 Static Lookups Not Working

bradp123
Path Finder
‎08-29-2013 07:17 PM

Hello,

I have setup a splunk free instance with DHCP, DNS (squid), and Firewall logs going in to it. I am trying to configure a lookup table to assist with resolving DNS names. I have tried and tried, but can not get this feature working. Here are the specifics:



csv file: splunk_lookup_home.csv (located in /opt/splunk/etc/system/lookups)

homeip,homename

192.168.0.1,testname

192.168.0.2,test2name

/opt/splunk/etc/system/local/transforms.conf
...
[lan_lookup]
filename = splunk_lookup_home.csv

/opt/splunk/etc/system/local/props.conf
...
[squid]
LOOKUP-lan = lan_lookup homeip OUTPUT homename

After I restart splunk I am not seeing the new field, homename. I have been following this guide, http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Addfieldsfromexternaldatasources. Even when I run the lookup from the search bar I am not getting the new fields 

sourcetype="squid" | lookup lan_lookup homeip OUTPUT homename
sourcetype="squid" | lookup lan_lookup homeip as clientip OUTPUT homename as clientip
I do see what looks to be a correct entry in the manager (Manager » Lookups » Automatic lookups). What am I forgetting to do? Is this a limitation of splunk free? Perhaps something with permissions? All the permissions are set to global.

UPDATED: Fixed misspelled word (transforms.conf).

Tags (2)
0 Karma
Reply

bradp123
Path Finder
‎08-30-2013 01:16 PM

I ran the search as you recommended, but it states "No matching events found". The clientip field is being extracted by a regex in my transforms.conf file. When I run this command I get the desired results: sourcetype="squid" | top 10 clientip . Any other ideas? Thanks for the help.

0 Karma
Reply

linu1988
Champion
‎08-30-2013 03:03 AM

you need to run this

sourcetype="squid" | lookup lan_lookup homeip as clientip

This will give you the result no need to mention the OUTPUT anymore. Valid point from AYN also don't see much of a mistake there..

0 Karma
Reply

Ayn
Legend
‎08-29-2013 11:28 PM

What happens when you run the lookup, do you get any error messages? Because in your post I see you've used the name transform.conf where it really should be transforms.conf. I guess it very likely is a typo but just pointing it out just in case it isn't 🙂

EDIT: OK. Some more things to verify:

You have these different lookup commands:

sourcetype="squid" | lookup lan_lookup homeip OUTPUT homename
sourcetype="squid" | lookup lan_lookup homeip as clientip OUTPUT homename as clientip

In the first, the lookup will obviously only work if the field "homeip" really exists and has an IP address that the lookup finds a match for. Is this true in your case?

In the second, you're reading the field "clientip" and then also writing "clientip" (order in lookup "as" field naming is wildly confusing), not "homename". Are you checking for the results in the field "homename" or "clientip"?

Reply

Ayn
Legend
‎08-30-2013 02:39 PM

Added some more things to troubleshoot.

0 Karma
Reply

bradp123
Path Finder
‎08-30-2013 01:11 PM

Thanks for pointing that out. It is in fact a typo. I am using transforms.conf. When I run the search commands I am not getting any errors.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...