Solved: Help with Lookup table

pgissiner · ‎03-21-2013

I am attempting to display categories from websense logs in human readable form. Currently they display the category id in the Search app rather than the name. I added a lookup table with two columns, one with the category, and one with the category name, comma delimited to achieve this.

Here is my addition to props.conf:

[websense_categories]
LOOKUP-websense = websense category OUTPUT category_name
FIELDALIAS-category = category_name

And to transforms.conf:

[websense]
DELIMS = ","
FIELDS = "category", "category_name"
filename = websense.csv
max_matches = 100

Still when searching websense logs via search app categories appear as numbers rather than the category name. If more information is needed, I can clarify. Thank you,

kristian_kolb · ‎03-21-2013

I believe that you are mixing two concepts; REPORT and LOOKUP.

DELIMS and FIELDS in transforms.conf would typically be used in a REPORT (from props.conf)

The FIELDALIAS also misses stuff. It should be;

FIELDALIAS-somename original_field_name AS alternate_field_name

See the docs for props.conf

As for the LOOKUP itself, you should see the example regarding HTTP status lookups in the docs.

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎03-21-2013

I believe that you are mixing two concepts; REPORT and LOOKUP.

DELIMS and FIELDS in transforms.conf would typically be used in a REPORT (from props.conf)

The FIELDALIAS also misses stuff. It should be;

FIELDALIAS-somename original_field_name AS alternate_field_name

See the docs for props.conf

As for the LOOKUP itself, you should see the example regarding HTTP status lookups in the docs.

Hope this helps,

Kristian

Help with Lookup table

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases