Hello,
I have setup a splunk free instance with DHCP, DNS (squid), and Firewall logs going in to it. I am trying to configure a lookup table to assist with resolving DNS names. I have tried and tried, but can not get this feature working. Here are the specifics:
csv file: splunk_lookup_home.csv (located in /opt/splunk/etc/system/lookups) homeip,homename 192.168.0.1,testname 192.168.0.2,test2name/opt/splunk/etc/system/local/transform.conf ... [lan_lookup] filename = splunk_lookup_home.csv
/opt/splunk/etc/system/local/props.conf ... [squid] LOOKUP-lan = lan_lookup homeip OUTPUT homename
After I restart splunk I am not seeing the new field, homename. I have been following this guide, http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Addfieldsfromexternaldatasources. Even when I run the lookup from the search bar I am not getting the new fields
sourcetype="squid" | lookup lan_lookup homeip OUTPUT homenameI do see what looks to be a correct entry in the manager (Manager » Lookups » Automatic lookups). What am I forgetting to do? Is this a limitation of splunk free? Perhaps something with permissions? All the permissions are set to global.
sourcetype="squid" | lookup lan_lookup homeip as clientip OUTPUT homename as clientip