Add lookup to search head app - syntax question?

msarro · ‎10-08-2013

Hello,
I am working to put together an app which will be deployed to our search head. In the app, there is a lookup csv file located in < APPNAME>/Lookups. I need the app to lookup a single field, and append the corresponding field to each event. Inside the event there is an extracted field called "Termination_Cause." In the csv file we have this format:

"Termination_Cause","Termination_Cause_Description"
"01","Term_Value"
"02","Term_Value2"

So using that example, when the Termination_Cause field is 01, we need the Termination_Cause_Description field to be added to the event with the value "Term_Value" while retaining the original Termination_Cause field.

I am looking at the props conf documentation and I just need to clarify the syntax because the way it is documented is a little confusing to me. Before this I had always done lookups using the GUI, and just need some guidance on what to put in props.conf and transforms.conf.

Thanks in advance!

alacercogitatus · ‎10-08-2013

Try these settings, changing where appro.

props.conf

[my_sourcetype] LOOKUP-mylookup = terminations Termination_Cause

transforms.conf

[terminations] filename = my_lookup.csv

Add lookup to search head app - syntax question?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms