Community:Http status lookup table

From Splunk Wiki

Jump to: navigation, search

Make a lookup dir

make $splunk_home/etc/apps/search/lookups

 cd $splunk_home
 mkdir etc/apps/search/lookups
 

NOTE: You may substitute search for your app.

  etc/apps/$myapp/lookups

put http_status.csv in $splunk_home/etc/apps/search/lookups

edit the search transforms.conf

add the following to $splunk_home/etc/apps/search/local/transforms.conf:

 [http_status]
 filename = http_status.csv
 

edit the search props.conf

add the following to $splunk_home/etc/apps/search/local/props.conf:


[access_combined]
pulldown_type = true
lookup_table = http_status status OUTPUT status_description, status_type
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
[access_combined_wcookie]
pulldown_type = true
lookup_table = http_status status OUTPUT status_description, status_type
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[

[access_common]
pulldown_type = true
lookup_table = http_status status OUTPUT status_description, status_type
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[

[apache_error]
pulldown_type = true
lookup_table = http_status status OUTPUT status_description, status_type
maxDist = 50
MAX_TIMESTAMP_LOOKAHEAD = 128
BREAK_ONLY_BEFORE = ^\[
TIME_FORMAT = [%A %B %d %T %Y]


Enforce Permissions

 chown -R $splunk_user:$splunk_group $splunk_home
 

Restart Splunk

Pick Field

select Pick Fields from the toolbar on the left and add status_description.


--Ericboyd 16:30, 19 August 2009 (PDT)

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk