i tried this tutorial
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchTutorial/Usefieldlookups
Upload a look-up file
define the field look-up
this two works great
but! when i tried automatic lookup i doesn't work
i tried to search for sourcetype=access_*
shows that there is no matching result
and the permission is "all app"
movielookup.csv struture is like
movieId, movieName, movieGenre
1, Toy Story (1995), Animation
and where is transforms.conf ?
Well, I'd start troubleshooting this by answering these questions:
movieId
field in your data currently? Is it extracted as movieId
and not something else (for example: MovieID
or movieID
or movie_id
)? Lookups are case-sensitive, so this is important. If the fieldname is constructed differently, go back to the automatic lookup definition and change the lookup input field so it says (for example) MovieID = movieId
. movieId
field is in your data and it is constructed correctly in your automatic lookup definition, have you verified that the events that contain it have the source type access_combined_wcookie
? If not, what sourcetype
value do these events have? If it isn't access_combined_wcookie
go back to the automatic lookup definition and put in the correct source type. (Note that you can also group by host or source.)If the answer to both of these questions is "yes" then we'll have to go to inquiry stage two. But let's get the easy stuff sorted out first.
As for the transforms.conf
file, you can find it in $SPLUNK_HOME/etc/system/local/
. You can find more information about editing lookup configurations in .conf
files here. But I would advise that we ensure that we can't fix the problem through the Settings pages before moving on to the .conf
file configurations.
Well, I'd start troubleshooting this by answering these questions:
movieId
field in your data currently? Is it extracted as movieId
and not something else (for example: MovieID
or movieID
or movie_id
)? Lookups are case-sensitive, so this is important. If the fieldname is constructed differently, go back to the automatic lookup definition and change the lookup input field so it says (for example) MovieID = movieId
. movieId
field is in your data and it is constructed correctly in your automatic lookup definition, have you verified that the events that contain it have the source type access_combined_wcookie
? If not, what sourcetype
value do these events have? If it isn't access_combined_wcookie
go back to the automatic lookup definition and put in the correct source type. (Note that you can also group by host or source.)If the answer to both of these questions is "yes" then we'll have to go to inquiry stage two. But let's get the easy stuff sorted out first.
As for the transforms.conf
file, you can find it in $SPLUNK_HOME/etc/system/local/
. You can find more information about editing lookup configurations in .conf
files here. But I would advise that we ensure that we can't fix the problem through the Settings pages before moving on to the .conf
file configurations.
this help me a lot!
what i was trying to do works great!
It was a hard work because all field was scrambled :<