Splunk Search

Not getting field automatically from lookup table

RVDowning
Contributor

I have a file: racf_username.csv located in /opt/splunk/etc/system/lookups which looks like;
racf,username
A123456,A Name
B123456, Another Name
.
.
As regards permissions, the table is updated nightly from a server and shows No Owner and the app being System.
Everyone can read but only admin can write.

In transforms.conf located in /opt/splunk/etc/system/local is the following:
[racf_username]
filename=racf_username.csv
max_matches=1
min_matches=1
default_match=Unknown

In props.conf located in /opt/splunk/etc/system/local is the following:
[sourcetype::MySourceType]
LOOKUP_racftousernames = racf_username racf OUTPUT username

However, a simple search such as:
sourcetype="MySourceType" | table racf, username does not display any usernames

If instead I use:
sourcetype="MySourceType" | lookup racf_username racf OUTPUT username | table racf, username
then everything works fine. I just don't get the automatically filled in username field.

Any idea how to get this to work automatically?

Tags (1)
0 Karma

woodcock
Esteemed Legend

Actually, the correct thing to do is to move it all (inputs.conf, props.conf, transforms.conf) into your own app in a location like:

$SPLUNK_HOME/etc/apps/MyApp/default

You can modify it afterwards to give it global app permissions so it works everywhere.

0 Karma

RVDowning
Contributor

I redid everything using the web interface instead of editing the files directly and it worked for User admin and App search. And it worked in search. I then changed the permissions to make sharing global and it worked for a regular user logon in App search.

I tested it in a couple of dashboards and it seems to work for all users and perhaps all apps. But the props.conf and transforms.conf files are in the directory /opt/splunk/etc/apps/search/local. I don't understand how other apps are able to work when these conf files are in this directory. It seems to me that they should be in the directory listed in my original post, namely /opt/splunk/etc/system/local to be non app specific as opposed to being in the search app directory.

0 Karma

aweitzman
Motivator

I think you want to replace the underscore in props.conf with a hyphen. It should be LOOKUP-racftousernames not LOOKUP_racftousernames.

0 Karma

RVDowning
Contributor

Changing the underscore to a hyphen made no difference.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...