Databases Reference
In-Depth Information
4.
Set the permissions on all of the objects. I usually opt for
All Apps
for
Lookup table files
and
Lookup definitions,
, and
This app only
for
Automatic lookups
. See
Chapter 6
,
Extending Search
, for details.
5.
Edit
transforms.conf
. As of Splunk 4.3, not all features of lookups
can be defined through the admin interface. To access these features,
the configuration files that actually drive Splunk must be edited manually.
We will cover configuration files in great detail in
Chapter 10
,
Configuring
Splunk
, but for now, let's add two lines to one file and move on:
1.
Edit
$SPLUNK_HOME/etc/apps/is_app_one/local/transforms.
conf
. The name of the directory
is_app_one
may be different
depending on what app was active when you created your lookup
definition. If you can't find this file, check your permissions and the
App
column in the admin interface.
2.
You should see these two lines, or something similar, depending
on what you named your
Lookup table file
and
Lookup definition
instances:
[flatten_summary_lookup]
filename = flatten_summary_lookup.csv
If you do not see these lines in this file, check your permissions.
1.
Add two more lines below
filename
:
match_type = WILDCARD(url)
max_matches = 1
These two lines effectively say:
•
match_type = WILDCARD(url)
: When evaluating the field
url
, honor
wildcard characters. Without this setting, matches are always exact.
•
max_matches = 1
: Stop searching after the first match. By default, up to
10 matches are allowed. We want to match only the first line that matches,
effectively using the lookup like a
case
statement.
If everything is wired up properly, we should now be able to run the search:
sourcetype=impl_splunk_web | stats count by section
Search WWH ::
Custom Search