A company uses Splunk to monitor web server logs. They have a lookup table that maps IP addresses to geographic locations (city, country). The lookup is defined as a CSV file with fields: ip, city, country. The lookup definition is named 'geo'. The team wants to automatically add city and country to every web event at index time, so that all future searches have this enrichment without adding the lookup command. The team tries to set up an automatic lookup in props.conf for the sourcetype 'web_access', but the city and country fields still do not appear in the events. They verify that the lookup file exists and that the lookup definition works when used manually with the lookup command. What is the most likely cause of the automatic lookup not working?
If the props.conf stanza does not match the sourcetype, the lookup will not be applied.
Why this answer
Option D is correct because the automatic lookup definition in props.conf must be correctly configured for the intended sourcetype. The most common misconfiguration is specifying the wrong sourcetype or incorrect syntax in the TRANSFORMS directive, which prevents the lookup from being applied at index time. Since the lookup works manually, the issue is with the props.conf configuration, not the lookup file or definition itself.
Exam trap
The trap here is that candidates assume automatic lookups work identically to search-time lookups, but they require explicit configuration in props.conf and transforms.conf, and any syntax error or sourcetype mismatch will silently fail.
How to eliminate wrong answers
Option A is wrong because index-time lookups are supported in Splunk via the TRANSFORMS directive in props.conf, which can enrich events at index time. Option B is wrong because index-time lookups can use CSV files; KV Store is not required. Option C is wrong because automatic lookups are designed to apply without needing the 'lookup' command in searches; they are configured in props.conf and applied at index time.