Thanks for the explanation.

 Wouldn't it be simpler to use a CSV file to query and associate an alert type with a procedure?

That would be easier to manage than coding it in each alert, wouldn't it?

OK thanks you , if i resume my to do list:

Step 1: Create the CSV file for the lookup

1. Create a CSV file, for example runbook_lookup.csv, with at least these columns:

alert_name, runbook_url
CPU > 90%, https://wiki.moc.local/runbooks/cpu_high
Memory > 80%, https://wiki.moc.local/runbooks/memory_high
Web Service Down, https://wiki.moc.local/runbooks/web_service_down
DB Error, https://wiki.moc.local/runbooks/db_error
• alert_name → must match the exact name of your Splunk alert.

• runbook_url → link to the runbook or procedure.

Step 2: Upload the CSV to Splunk

1. In Splunk Web, go to Settings → Lookups → Lookup table files → Add new
2. Choose your app (e.g., Search & Reporting)
3. Select the CSV file runbook_lookup.csv
4. Give it an internal name (e.g., runbook_lookup.csv)

Step 3: Create the Lookup Definition

1. Still in Settings → Lookups → Lookup definitions → Add new
2. Definition name: runbook_lookup_def
3. Lookup file: select runbook_lookup.csv
4. Leave the other parameters as default

Step 4: Use the lookup in your search/alert
Let's say you have an alert that is triggered: alert_type:
index=server_logs severity=critical
| table _time alert_type host severity
| lookup runbook_lookup_def alert_name AS alert_type OUTPUT runbook_url
| table _time alert_type host severity runbook_url

it's that correct  ? 

do you agree

Ciao Giuseppe, 

I would like Splunk to not only notify me of the alert but also provide the procedure to follow for the monitoring team. Is this possible?
Do I need to use a CSV file and the SPL language?

Thank you 

michel