Tried experimenting with the Http Status codes example in the documentation for lookup tables. This is the error.
Could not find the specified look up fields in the look up table for conf, source=mine look up table HttpStatusCodes
Any assistance or reference material would be appreciated.
Thanks in advance
It would be nicer if you could paste your config and lookup table, and some information which page you are reffering to.
Well, the information you are looking for is the following, there is a sample lookup table for http status, and how it needs to be configured.
But I guess you have already configured your lookup table.
Try to run the following inputlookup command to see if your lookup table is configured and accessible from Splunk.
| inputlookup YOUR_LOOKUP_TABLE_NAME
and see the field name you looked up exists and the lookup command you ran properly set.
for example, if input fieldname in your data and column name in lookup table are different, you need to associate the fieldname and colunmane using as in your lookup command like this:
... | lookup http_status status_code_in_lookup as status_code_fieldname OUTPUT status_description
Hope this helps
If you manually configure lookup, then you will need entry for your lookup csv files. However, because you are seeing the content of your lookup files by inputlookup, it tells your lookup table is accessible and usable. I guess there is something wrong with your lookup command or option when you run lookup.
It may help if you could paste your search here with some quick description of the fields in your data and column in your lookup table 🙂
I can successfully list the contents of the lookup table with the input lookup command. However I can not see the fields output. I will reread the "Addfieldsfromexternaldatasources" and start over. I did notice that there was no props.conf in the /usr/local/splunk/etc/apps/maps/local directory. Do I need a corresponding props.conf for each lookup table?
Thank you !,