Hi All,
Quick question, in Manager » Lookups » Automatic lookups » Add New
on Apply to drop down box, we can select from SOurcetype, source, or host.
If I choose any of the choices, can I put * on the sourcetype field. The reason is the lookup table that I created meant for any sourcetype, and any host those are currently indexed by my SPlunk.
I tried before it wouldn't do the trick. If possible, do I need to put other character value?
Please advise on this
Thanks
The UI will create a stanza which did not work in my testing.
## props.conf
[*]
LOOKUP-all_test = my_test_lookup sourcetype OUTPUTNEW foo
If you want this lookup to be global I would recommend specifying this property in props.conf without a stanza:
## props.conf
LOOKUP-all_test = my_test_lookup sourcetype OUTPUTNEW foo
Based on a similar Q/A it is also possible use wildcards in sourcetype
Thanks It works. Just delete the [*] and put on top of the props.conf.
Thanks again
Just need to select HOST as Apply To and * in named field as below while
Lookups » Automatic lookups » Add new
No need to edit Props.conf gile
Thanks
Neeraj Singh Dhapola
The UI will create a stanza which did not work in my testing.
## props.conf
[*]
LOOKUP-all_test = my_test_lookup sourcetype OUTPUTNEW foo
If you want this lookup to be global I would recommend specifying this property in props.conf without a stanza:
## props.conf
LOOKUP-all_test = my_test_lookup sourcetype OUTPUTNEW foo
Based on a similar Q/A it is also possible use wildcards in sourcetype
I also accomplished similar using [default] as the stanza header.
A cleaner method may be using [host:*] stanza header.