Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Creating an Automatic Lookup that applies to all hosts/sources/sourcetypes.

Ricapar
Communicator
‎05-30-2013 02:08 PM

I have a lookup table that I generate as a CSV dump of one of our databases. The database contains a list of all our hostnames, the host's role (dev, prod, etc), and who it belongs to.

The lookup table matches on the host field of an event.

I have the automatic lookup table working right now, but only for a single sourcetype. It works for other sourcetypes if I manually specify the |lookup command in the search.

Is it possible to create an automatic lookup that applies to every event, regardless of host, source, sourcetype, etc? Ideally I'd like to never have to use the |lookup command in order to see those extra columns displayed by default.

0 Karma
Reply

Ayn
Legend
‎05-30-2013 02:24 PM

Sure. Just use the [default] stanza in props.conf.

[default]
LOOKUP-yourlookup = yourlookupdefinition
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...