Solved: http status lookup fields are not listed under pic...

kmisaal · ‎10-13-2011

I have a simple configuration for few forwarders and an indexer.
I have configured the field look-up on Splunk indexer for http status codes using the sample provided in user manual. My entries look like this.
1. csv file is uploaded under

$SPLUNK_HOME/etc/apps/search/lookups/http_status.csv

Contents of props.conf under $SPLUNK_HOME/etc/apps/search/local/props.conf

[apache_logs]
EXTRACT-status = (?i)^(?:[^"]*"){2}\s+(?P[^ ]+)

[access_combined]
LOOKUP-http_status = http_status status OUTPUT status_description, status_type
Contents of transforms.conf under $SPLUNK_HOME/etc/apps/search/lookups/transforms.conf

[http_status]
filename = http_status.csv
After this I restarted the Splunk indexer.
Searched the apache-logs through search app.
I did not see the status_description and status_type fields under the field pickup.
I see status = 200 as extracted field in results. However could not get description or type.

Am I missing any settings ? Please help.

Ayn · ‎10-13-2011

It seems you are using sourcetype apache_logs for your access logs, but the lookup is configured to be used for the sourcetype access_combined, so Splunk will not apply it. Change it to apache_logs and it should work.

View solution in original post

Ayn · ‎10-13-2011

It seems you are using sourcetype apache_logs for your access logs, but the lookup is configured to be used for the sourcetype access_combined, so Splunk will not apply it. Change it to apache_logs and it should work.

http status lookup fields are not listed under pickup fields

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!