Splunk Search

Where I can find the outputlookup files in the Splunk instance??

skuma30
New Member

I am having some trouble with locating the lookup files, can some one please help me?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Just in case you aren't yet familiar with the interface, and are asking a much more basic question -

1) Near the top right of the splunk screen there is a drop-down called "settings". Underneath that, there is a selection "lookups". Click that, then you can see a lookup file list by app.

2) to test if the outputlookup file was really created and has anything in it, you can try something like this search

|inputlookup mylookupname | head 5
0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi skuma30,

File-based lookups are located in $Splunk_Home/etc/apps//lookups .
The lookup stanzas are defined in transforms.conf and props.conf.

Hope this helps. Thanks!
Hunter

0 Karma

skuma30
New Member

Thanks for the reply....

0 Karma

somesoni2
SplunkTrust
SplunkTrust

From the outputlookup documentation page:

For CSV-based lookups, if the lookup file does not exist, it is created in the lookups directory of the current application. If the lookup file already exists, it is overwritten with the results of the outputlookup command.

So I would look at directory $SPLUNK_HOME/etc/apps/<<YourCurrentAppNameHere>>/lookups.

0 Karma

skuma30
New Member

Thanks for the reply......

0 Karma

woodcock
Esteemed Legend

If you are new, YourCurrentAppNameHere is probably search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...