https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67211#M16793 <P>This is from Splunk documents. I have used this to create my lookup files. (<A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources</A>)</P> <PRE><CODE>Here's an example of setting up lookups for HTTP status codes in an access_combined log. In this example, you want to match the status field in your lookup table (http_status.csv) with the field in your events. Then, you add the status description and status type fields into your events. The following is the http_status.csv file. You can put this into $SPLUNK_HOME/etc/apps/&lt;app_name&gt;/lookups/. If you're using this in the Search App, put the file into $SPLUNK_HOME/etc/apps/search/lookups/: status,status_description,status_type 100,Continue,Informational 101,Switching Protocols,Informational 200,OK,Successful 201,Created,Successful 202,Accepted,Successful 203,Non-Authoritative Information,Successful 204,No Content,Successful 205,Reset Content,Successful 206,Partial Content,Successful 300,Multiple Choices,Redirection 301,Moved Permanently,Redirection 302,Found,Redirection 303,See Other,Redirection 304,Not Modified,Redirection 305,Use Proxy,Redirection </CODE></PRE> Fri, 21 Sep 2012 17:11:22 GMT Michael_Schyma1 2012-09-21T17:11:22Z https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67209#M16791 <P>We have several applications that we monitor and have written dashboards for. We would like to have one lookup table for each application. The lookup table would contain data such as technical error codes, Business Error Codes and SLA for example. We are having trouble getting this schema to work using an abstract CSV file (see example below).</P> <P>Has anyone successfully implemented such a data structure? If so, how do you show both Technical Errors, and SLA data in the same search?</P> <P>Name | Value<BR /><BR /> TechnicalError | 123<BR /><BR /> TechnicalError | 456<BR /><BR /> SLA | 99.9</P> <P>We need to search for Technical errors (linked to status code in the data). And put an SLA line on the chart as well. I've seen the post on how to do that, but how do we do both from the same lookup?</P> Fri, 21 Sep 2012 16:40:15 GMT https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67209#M16791 tadb 2012-09-21T16:40:15Z https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67210#M16792 <P>Your CSV file needs to have commas - or is this just how you are showing it here? And are the field names <EM>really</EM> Name and Value?</P> <P>Why must it be only one lookup? It seems reasonable that there would be a lookup table for error codes separate from a table for SLAs.</P> Fri, 21 Sep 2012 16:57:41 GMT https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67210#M16792 lguinn2 2012-09-21T16:57:41Z https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67211#M16793 <P>This is from Splunk documents. I have used this to create my lookup files. (<A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources</A>)</P> <PRE><CODE>Here's an example of setting up lookups for HTTP status codes in an access_combined log. In this example, you want to match the status field in your lookup table (http_status.csv) with the field in your events. Then, you add the status description and status type fields into your events. The following is the http_status.csv file. You can put this into $SPLUNK_HOME/etc/apps/&lt;app_name&gt;/lookups/. If you're using this in the Search App, put the file into $SPLUNK_HOME/etc/apps/search/lookups/: status,status_description,status_type 100,Continue,Informational 101,Switching Protocols,Informational 200,OK,Successful 201,Created,Successful 202,Accepted,Successful 203,Non-Authoritative Information,Successful 204,No Content,Successful 205,Reset Content,Successful 206,Partial Content,Successful 300,Multiple Choices,Redirection 301,Moved Permanently,Redirection 302,Found,Redirection 303,See Other,Redirection 304,Not Modified,Redirection 305,Use Proxy,Redirection </CODE></PRE> Fri, 21 Sep 2012 17:11:22 GMT https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67211#M16793 Michael_Schyma1 2012-09-21T17:11:22Z https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67212#M16794 <P>Yes, the files is comma separated. I just put the | in to make it look more like a table.</P> Fri, 21 Sep 2012 17:24:26 GMT https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67212#M16794 tadb 2012-09-21T17:24:26Z https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67213#M16795 <P>I think you are saying the same thing as the previous poster. Make two files. I would like to have a single file for each application. This file would contain both ErrorCodes and SLA information. </P> <P>Perhaps that is not possible with Splunk.</P> Fri, 21 Sep 2012 17:31:23 GMT https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67213#M16795 tadb 2012-09-21T17:31:23Z https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67214#M16796 <P>Is SLA always going to be in a line chart?</P> Sat, 22 Sep 2012 02:27:01 GMT https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67214#M16796 davecroto 2012-09-22T02:27:01Z https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67215#M16797 <P>Is SLA always going to be in a line chart? And will it be static?</P> Sat, 22 Sep 2012 02:29:07 GMT https://community.splunk.com/t5/Splunk-Search/Abstract-Lookup/m-p/67215#M16797 davecroto 2012-09-22T02:29:07Z