I had a question about the csv lookup app for Splunk. I recently installed the app on one of our dev search heads and it works great. By default, it stores and finds lookups from the /export/opt/splunk/etc/apps/<App-Name>/lookups, and it works great for lookups in that directory. With our production environment, we have lookups spread around the environment.
From my assumptions, I couldnt quite find the answer in the App docs, im assuming the app works alongside the built in lookups tab in splunk. If Splunk itself is seeing a lookup file, no matter where it is, whether its under /apps/<appname>/ or under /users/<username> , Then the lookup csv app can also read it and edit it.
My question is, is there a file within the app where we have to specify where the lookup files are and where to point to find them, or does the app automatically seek out and finds all .csv files that are lookups.
Thanks for any help 🙂
... View more