Knowledge Management

How to check if the automatic lookup is working?

rajneeshc1981
Explorer

How to check if the automatic lookup is working?
Lookup is working fine how can I test auto lookup is working too?

0 Karma

harish_l
New Member

A lookup definition that you have defined previously.
Steps

In Splunk Web, select Settings > Lookups.
Under Actions for Automatic Lookups, click Add new.
Select the Destination app.
Give your automatic lookup a unique Name.
Select the Lookup table that you want to use in your fields lookup.
This is the name of the lookup definition that you defined on the Lookup Definition page.
In the Apply to menu, select a host, source, or source type value to apply the lookup and give it a name in the named field.
Under Lookup input fields provide one or more pairs of input fields.
The first field is the field in the lookup table that you want to match. The second field is a field from your events that matches the lookup table field. For example, you can have an ip_address field in your events that matches an ip field in the lookup table. So you would enter ip = ip_address in the automatic lookup definition.
Under Lookup output fields provide one or more pairs of output fields.
The first field is the corresponding field that you want to output to events. The second field is the name that the output field should have in your events. For example, the lookup table may have a field named country that you may want to output to your events as ip_city. So you would enter country=ip_city in the automatic lookup definition.
You can select the checkbox for Overwrite field values to overwrite the field values when the lookup runs.
Note: This is equivalent to configuring your fields lookup in props.conf.
Click Save.
The Automatic lookup view appears, and the lookup that you have defined is listed.

0 Karma

pradeepkumarg
Influencer

Run the search where the autolookup is intended to be used. The fields from the lookup should be added to results without explicitly calling lookup. Let's say your auto lookup works on the host field to populate IP address for all sourcetypes then running index=* should give IP address in the fields.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...