Splunk Search

http status lookup fields are not listed under pickup fields

kmisaal
New Member

I have a simple configuration for few forwarders and an indexer.
I have configured the field look-up on Splunk indexer for http status codes using the sample provided in user manual. My entries look like this.
1. csv file is uploaded under

$SPLUNK_HOME/etc/apps/search/lookups/http_status.csv
  1. Contents of props.conf under $SPLUNK_HOME/etc/apps/search/local/props.conf

    [apache_logs]
    EXTRACT-status = (?i)^(?:[^"]*"){2}\s+(?P[^ ]+)

    [access_combined]
    LOOKUP-http_status = http_status status OUTPUT status_description, status_type

  2. Contents of transforms.conf under $SPLUNK_HOME/etc/apps/search/lookups/transforms.conf

    [http_status]
    filename = http_status.csv

  3. After this I restarted the Splunk indexer.

  4. Searched the apache-logs through search app.

  5. I did not see the status_description and status_type fields under the field pickup.

  6. I see status = 200 as extracted field in results. However could not get description or type.

Am I missing any settings ? Please help.

Tags (2)
0 Karma
1 Solution

Ayn
Legend

It seems you are using sourcetype apache_logs for your access logs, but the lookup is configured to be used for the sourcetype access_combined, so Splunk will not apply it. Change it to apache_logs and it should work.

View solution in original post

0 Karma

Ayn
Legend

It seems you are using sourcetype apache_logs for your access logs, but the lookup is configured to be used for the sourcetype access_combined, so Splunk will not apply it. Change it to apache_logs and it should work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...