×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
pgissiner
Engager
Member since: ‎03-20-2013
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-20-2013
Activity Feed
View All

Lookups in a distributed search environment

by in Splunk Search
‎06-17-2013 03:31 AM
‎06-17-2013 03:31 AM
I have configured a field lookup on our test server to return a readable name for event codes in our logs. Doing so with a TA app, so I have a folder with the proper subfolders containing my confs, the csv for the lookup, and local/default.meta. This works just fine in our test environment, and places a field in the left sidebar that displays the readable names in the logs returned while searching. We decided to move this to production, and have not had success. Our production environment has two indexers, two search heads serving different purposes, and an app deployment server. When we deployed the TA to our production environment to the search head we use to query splunk we originally encountered errors in the props, and transforms.conf that needed to be fixed. Having done that the errors cleared, yet we do not get a field containing readable names for the event codes in our logs. Are there any differences between a 'monolithic' and distributed search environment that would prevent a lookup from one working on the other? ... View more

Help with Lookup table

by in Splunk Search
‎03-21-2013 04:35 AM
‎03-21-2013 04:35 AM
I am attempting to display categories from websense logs in human readable form. Currently they display the category id in the Search app rather than the name. I added a lookup table with two columns, one with the category, and one with the category name, comma delimited to achieve this. Here is my addition to props.conf: [websense_categories] LOOKUP-websense = websense category OUTPUT category_name FIELDALIAS-category = category_name And to transforms.conf: [websense] DELIMS = "," FIELDS = "category", "category_name" filename = websense.csv max_matches = 100 Still when searching websense logs via search app categories appear as numbers rather than the category name. If more information is needed, I can clarify. Thank you, ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All