Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: File based Transform/Props not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My log snippet is as shown below:
productid=12 email=abc@gg.com
productid=13 email=pqr@aa.com
productid=14 email=xyz@cc.com
I want to show "Product1" for 12 & "Product2" for 13 & "Product3" for 14 in the legends in my timechart.
/
productid,product_desc
12,Product1
13,Product2
/
[product_lookup]
filename = product_lookup.csv
/
[product_lookup]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc
After restarting server, when I'm running below query, it does not show product_desc.
index=myindex sourcetype=mylog | timechart count by product_desc
Can any one tell me why its not showing any output? How to use transforms/props, etc??
Any help is much appreciated!
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the sourcetype for your log? In props.conf, you have
[product_lookup]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc
But the stanza name should be your sourcetype as below:
[yourSourcetypeName]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc
Also, is there a field named productid in your log file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the sourcetype for your log? In props.conf, you have
[product_lookup]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc
But the stanza name should be your sourcetype as below:
[yourSourcetypeName]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc
Also, is there a field named productid in your log file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can, use the Manager UI in Splunk to set up your lookups. Then you can see what Splunk writes to the configuration files...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've used UI to generate these files. I don't want to write anything in csv file...Basically, I'm keeping my mapping in it & I want to read it from my query. Can you please tell me why its now showing up in my search result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The configuration files for "props" and "transforms" should have ".conf" as the end of the filename, not ".csv". If that was merely a typo in your question here, I'd start looking at the results of searches before the timechart call, to ensure that the lookup is happening before that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its a typo...I've corrected it. Can you please help?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
