Splunk Search

Not getting field automatically from lookup table

RVDowning
Contributor

I have a file: racf_username.csv located in /opt/splunk/etc/system/lookups which looks like;
racf,username
A123456,A Name
B123456, Another Name
.
.
As regards permissions, the table is updated nightly from a server and shows No Owner and the app being System.
Everyone can read but only admin can write.

In transforms.conf located in /opt/splunk/etc/system/local is the following:
[racf_username]
filename=racf_username.csv
max_matches=1
min_matches=1
default_match=Unknown

In props.conf located in /opt/splunk/etc/system/local is the following:
[sourcetype::MySourceType]
LOOKUP_racftousernames = racf_username racf OUTPUT username

However, a simple search such as:
sourcetype="MySourceType" | table racf, username does not display any usernames

If instead I use:
sourcetype="MySourceType" | lookup racf_username racf OUTPUT username | table racf, username
then everything works fine. I just don't get the automatically filled in username field.

Any idea how to get this to work automatically?

Tags (1)
0 Karma

woodcock
Esteemed Legend

Actually, the correct thing to do is to move it all (inputs.conf, props.conf, transforms.conf) into your own app in a location like:

$SPLUNK_HOME/etc/apps/MyApp/default

You can modify it afterwards to give it global app permissions so it works everywhere.

0 Karma

RVDowning
Contributor

I redid everything using the web interface instead of editing the files directly and it worked for User admin and App search. And it worked in search. I then changed the permissions to make sharing global and it worked for a regular user logon in App search.

I tested it in a couple of dashboards and it seems to work for all users and perhaps all apps. But the props.conf and transforms.conf files are in the directory /opt/splunk/etc/apps/search/local. I don't understand how other apps are able to work when these conf files are in this directory. It seems to me that they should be in the directory listed in my original post, namely /opt/splunk/etc/system/local to be non app specific as opposed to being in the search app directory.

0 Karma

aweitzman
Motivator

I think you want to replace the underscore in props.conf with a hyphen. It should be LOOKUP-racftousernames not LOOKUP_racftousernames.

0 Karma

RVDowning
Contributor

Changing the underscore to a hyphen made no difference.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...