Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

File based Transform/Props not working

freephoneid
Path Finder
‎03-28-2012 02:57 PM

My log snippet is as shown below:

productid=12 email=abc@gg.com
productid=13 email=pqr@aa.com
productid=14 email=xyz@cc.com

I want to show "Product1" for 12 & "Product2" for 13 & "Product3" for 14 in the legends in my timechart.

//lookups/product_lookup.csv contains following entries:

productid,product_desc
12,Product1
13,Product2

//local/transforms.conf contains below entries:

[product_lookup]
filename = product_lookup.csv

//local/props.conf contains below entries:

[product_lookup]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc

After restarting server, when I'm running below query, it does not show product_desc.

index=myindex sourcetype=mylog | timechart count by product_desc

Can any one tell me why its not showing any output? How to use transforms/props, etc??

Any help is much appreciated!

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-28-2012 05:39 PM

What is the sourcetype for your log? In props.conf, you have

[product_lookup]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc

But the stanza name should be your sourcetype as below:

[yourSourcetypeName]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc

Also, is there a field named productid in your log file?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-28-2012 05:39 PM

What is the sourcetype for your log? In props.conf, you have

[product_lookup]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc

But the stanza name should be your sourcetype as below:

[yourSourcetypeName]
LOOKUP-product_desc = product_lookup productid OUTPUT product_desc

Also, is there a field named productid in your log file?

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎03-28-2012 03:59 PM

If you can, use the Manager UI in Splunk to set up your lookups. Then you can see what Splunk writes to the configuration files...

0 Karma
Reply
Solved! Jump to solution

freephoneid
Path Finder
‎03-28-2012 04:39 PM

I've used UI to generate these files. I don't want to write anything in csv file...Basically, I'm keeping my mapping in it & I want to read it from my query. Can you please tell me why its now showing up in my search result?

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎03-28-2012 03:54 PM

The configuration files for "props" and "transforms" should have ".conf" as the end of the filename, not ".csv". If that was merely a typo in your question here, I'd start looking at the results of searches before the timechart call, to ensure that the lookup is happening before that.

0 Karma
Reply
Solved! Jump to solution

freephoneid
Path Finder
‎03-28-2012 04:36 PM

Its a typo...I've corrected it. Can you please help?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...