Wildly frustrated poring over the Splunk documentation -- there are absolutely no good introductions to any topic! Anyway...
I've got a simple JSON file:
[
{"acct": 1333, "name": "Customer 1"},
{"acct": 1334, "name": "Customer 2"},
]
That is updated daily by processes external to Splunk and I want to import it as a kv lookup (it'll get large over time) to convert account numbers to client names. I'm primarily using the web UI for administration, but have delved a little bit into using .conf files.
What is the difference between a "lookup" and a "lookup file"?
What should the format for the input JSON be? An object, an array of objects?
How do I import the file?
Any help appreciated!
... View more