Is the _internal index exempt from automatic lookups? I can't get any automatic lookups working on the index even with global permissions selected to work on the internal index, it works everywhere except there. Is there no way to do this?
You have 2 problems; first you are swapping the lookup name and event name positions and you have extra spaces in your LOOKUP-
name (or perhaps it was supposed to be a second input field and you forgot to use AS
and put it in the wrong place?). I have made a guess how to fix everything below:
[splunk_web_access]
LOOKUP-AD = AD_User_List user AS cn OUTPUTNEW UserFullName AS FullName
[source::/opt/splunk/var/log/splunk/web_access.log]
LOOKUP-Lookup-AD_Source_Attempt = AD_User_List user AS cn OUTPUTNEW UserFullName AS FullName
Automatic looks on _internal
are working fine for me. Post your props.conf so we can take a look.
bash-4.1$ cat props.conf
[_internal]
[splunkd*]
[splunk_web_access]
LOOKUP-AD = AD_User_List cn AS user OUTPUTNEW FullName AS UserFullName
[source::/opt/splunk/var/log/splunk/web_access.log]
LOOKUP-Lookup-AD Source Attempt = AD_User_List cn AS user OUTPUTNEW FullName AS UserFullName
bash-4.1$
It should probably also be noted that there are 2 doing the same query because I wasn't sure if there was an issue with the sourcetype. It did this back when I just was trying it on splunk_web_access
What sourcetype and fields are you using for the lookups?
I am using the user field and the sourcetype of splunk_web_access