- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Use search results to populate a lookup table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use search results to populate a lookup table
I am following the directions on http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addfieldsfromexternaldatasources#Use_sea...
I edited my savedsearches.conf as directed, but the CSV file is not being created. How can I troubleshoot this problem?
etc/apps/search/local/savedsearches.conf:
[Service Now assets]
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
action.populate_lookup = 1
action.populate_lookup.dest = etc/system/lookups/service_now_assets.csv
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = 0 18 * * *
description = ServiceNow assets
display.events.fields = ["sourcetype","Message_Name","source","Message_Info","Message_Title","Server","msg","Server"]
display.events.type = table
display.visualizations.charting.chart = area
display.visualizations.show = 0
enableSched = 1
quantity = 5000
relation = less than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
run_on_startup = false
search = index=service_now source=service_now earliest=-1d
etc/system/local/transforms.conf:
[service_now_asset]
filename = etc/system/lookups/service_now_assets.csv
case_sensitive_match = false
etc/system/local/props.conf:
[asset_properties]
LOOKUP-servicenow = service_now_asset Server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this seems silly but every time I use a construct referring to a file location that is relative to $SPLUNK_HOME, I have used /etc/... instead of etc/.... I know the documentation says the latter but I would add a slash to the beginning and see if it fixes it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I removed the path entirely and Splunk was able to find the CSV correctly! Running the saved search does not update the CSV, but at least the lookup part is working...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep playing with different variations on the path and I think you will get it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paste your savedsearches.conf stanza; there is probably a typo.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you restart Splunk after editing savedsearches.conf? What were your edits?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes I have restarted. I posted the relevant sections from my config files
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
