I have a simple configuration for few forwarders and an indexer.
I have configured the field look-up on Splunk indexer for http status codes using the sample provided in user manual. My entries look like this.
1. csv file is uploaded under
$SPLUNK_HOME/etc/apps/search/lookups/http_status.csv
Contents of props.conf under $SPLUNK_HOME/etc/apps/search/local/props.conf
[apache_logs]
EXTRACT-status = (?i)^(?:[^"]*"){2}\s+(?P
[access_combined]
LOOKUP-http_status = http_status status OUTPUT status_description, status_type
Contents of transforms.conf under $SPLUNK_HOME/etc/apps/search/lookups/transforms.conf
[http_status]
filename = http_status.csv
After this I restarted the Splunk indexer.
Searched the apache-logs through search app.
I did not see the status_description and status_type fields under the field pickup.
I see status = 200 as extracted field in results. However could not get description or type.
Am I missing any settings ? Please help.
It seems you are using sourcetype apache_logs
for your access logs, but the lookup is configured to be used for the sourcetype access_combined
, so Splunk will not apply it. Change it to apache_logs
and it should work.
It seems you are using sourcetype apache_logs
for your access logs, but the lookup is configured to be used for the sourcetype access_combined
, so Splunk will not apply it. Change it to apache_logs
and it should work.