Hi,
I have a file coming from the source ( UF ) in which I am getting two fields ( IP and PORT ) , Now I have a lookup file also in which I have four additional fields ( IP, NAME,SOURCE,DESTINATION).
Question is : I dont want to index the source file as it is rather I would like to do the lookup before the data gets stored in the indexer.
Once the lookup is done based on the IP present in the Lookup file as well as the source file, I will have the complete set of data for all the matched IPs, that data I want to index in the indexer.
Kindly help !!
Cheers,
Create a app in indexer ,
$SPLUNK_HOME$/etc/(apps OR master-apps)/yourapp/lookups/
yourlookup.csv should be reside in this folder.
$SPLUNK_HOME$/etc/(apps OR master-apps)/yourapp/local/transforms.conf
[yourlookup]
filename=yourlookup.csv
$SPLUNK_HOME$/etc/(apps OR master-apps)/yourapp/local/props.conf
[sourcetype set in UF]
LOOKUP-test = yourlookup IP as IP OUTPUTNEW NAME SOURCE DESTINATION
i hope this helps.
Amazing reply !! but the entire field is coming ( showing in the indexer ), but when I search for the same index with the sourcetype in the search head , those extra lookup(ed) fields are not showing !! I want to get (see) the data in the search head !!
ah okay..
[sourcetype set in UF]
LOOKUP-test = yourlookup IP as IP OUTPUTNEW NAME as lname, SOURCE as lsource, DESTINATION as ldest
EVAL-name = lname
EVAL-source= lsource
EVAL-dest = ldest
If above thing haven't work, then do the same steps in search head as well. Path will be little different
1) Deployer - $SPLUNK_HOME$/etc/shcluster/apps/yourapp/local/
2) Standalone SH - $SPLUNK_HOME$/etc/apps/yourapp/local
/lookups/
yourlookup.csv should be reside in this folder.
/transforms.conf
[yourlookup]
filename=yourlookup.csv
/props.conf
[sourcetype set in UF]
LOOKUP-test = yourlookup IP as IP OUTPUTNEW NAME SOURCE DESTINATION