New field added to lookup table not displaying

johnboldt · ‎04-28-2011

I'm adding a new field to an existing lookup table but it's not showing up in any searches. These are the steps I followed:

Added the new field to the existing lookup .csv file
Added the new column to the application props.conf LOOKUP
Restarted splunkd

The existing lookup fields are still showing up in searches, but not the new field. Am I missing a step?

csv (Dependent_Service_Call_Group is the new field)

ElapsedMetricDescription,Dependent_Service_Call,Dependent_Service_Call_Group,Target_Response_Time_At_90th,Planned_Throughput
CDB Call [CPSDRVRA] Response time:,CDB Call,Checkout,500,12000  
Standardize Address Request. Response time:,Standardize Address,Checkout,500,5000

Transforms.conf:

[Dependent_Service_Metrics_NFR_Targets]
filename = Dependent_Service_Metrics_NFR_Targets.csv

props.conf:

LOOKUP-Dependent_Service_Metrics_NFR_Targets = Dependent_Service_Metrics_NFR_Targets ElapsedMetricDescription AS ElapsedMetricDescription OUTPUTNEW Dependent_Service_Call AS Dependent_Service_Call Dependent_Service_Call_Group AS Dependent_Service_Call_Group Planned_Throughput AS Planned_Throughput Target_Response_Time_At_90th AS Target_Response_Time_At_90th

hazekamp · ‎04-28-2011

John,

There could be a number of reasons for this, including OUTPUT vs. OUTPUTNEW. Can you post a few lines of your csv, your props, and an example event?

David

New field added to lookup table not displaying

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms