Databases Reference
In-Depth Information
•
Lookup input fields
: This defines the fields that will be queried in the lookup
file. One field must be specified, but multiple fields can be specified. Think of
this as a join in a database. The left side is the name of the field in the lookup
file. The right side is the name of the existing field in our events.
•
Lookup output fields:
: This section lets you decide what columns to include
from the lookup file and optionally overrides the names of those fields. The
left side is the name of the field in the lookup file. The right side is the field
to be created in the events. If left blank, the default behavior is to include all
fields from the lookup, using the names defined in the lookup file.
•
Overwrite field values
: If this option is selected, any existing field values
in an event will be overwritten by a value with the same name from the
lookup file.
After clicking on
Save
, we see the listing of
Automatic lookups
. Initially, the
Sharing
option is
Private
, which will cause problems if you want to share searches
with others. To share the lookup, first click on
Permissions
.
This presents us with the
Permissions
page. Change the value of
Object should
appear in
to
All apps
. We will discuss these permissions in greater detail in
Chapter
10
,
Configuring Splunk
.
Search WWH ::
Custom Search