Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Abstract Lookup

tadb
New Member
‎09-21-2012 09:40 AM

We have several applications that we monitor and have written dashboards for. We would like to have one lookup table for each application. The lookup table would contain data such as technical error codes, Business Error Codes and SLA for example. We are having trouble getting this schema to work using an abstract CSV file (see example below).

Has anyone successfully implemented such a data structure? If so, how do you show both Technical Errors, and SLA data in the same search?

Name | Value

TechnicalError | 123

TechnicalError | 456

SLA | 99.9

We need to search for Technical errors (linked to status code in the data). And put an SLA line on the chart as well. I've seen the post on how to do that, but how do we do both from the same lookup?

Tags (1)
0 Karma
Reply

davecroto
Splunk Employee
Splunk Employee
‎09-21-2012 07:29 PM

Is SLA always going to be in a line chart? And will it be static?

0 Karma
Reply

davecroto
Splunk Employee
Splunk Employee
‎09-21-2012 07:27 PM

Is SLA always going to be in a line chart?

0 Karma
Reply

Michael_Schyma1
Contributor
‎09-21-2012 10:11 AM

This is from Splunk documents. I have used this to create my lookup files. (http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources)

Here's an example of setting up lookups for HTTP status codes in an access_combined log. In this example, you want to match the status field in your lookup table (http_status.csv) with the field in your events. Then, you add the status description and status type fields into your events.

The following is the http_status.csv file. You can put this into $SPLUNK_HOME/etc/apps/<app_name>/lookups/. If you're using this in the Search App, put the file into $SPLUNK_HOME/etc/apps/search/lookups/:

status,status_description,status_type
100,Continue,Informational
101,Switching Protocols,Informational
200,OK,Successful
201,Created,Successful
202,Accepted,Successful
203,Non-Authoritative Information,Successful
204,No Content,Successful
205,Reset Content,Successful
206,Partial Content,Successful
300,Multiple Choices,Redirection
301,Moved Permanently,Redirection
302,Found,Redirection
303,See Other,Redirection
304,Not Modified,Redirection
305,Use Proxy,Redirection
0 Karma
Reply

tadb
New Member
‎09-21-2012 10:31 AM

I think you are saying the same thing as the previous poster. Make two files. I would like to have a single file for each application. This file would contain both ErrorCodes and SLA information.

Perhaps that is not possible with Splunk.

0 Karma
Reply

lguinn2
Legend
‎09-21-2012 09:57 AM

Your CSV file needs to have commas - or is this just how you are showing it here? And are the field names really Name and Value?

Why must it be only one lookup? It seems reasonable that there would be a lookup table for error codes separate from a table for SLAs.

0 Karma
Reply

tadb
New Member
‎09-21-2012 10:24 AM

Yes, the files is comma separated. I just put the | in to make it look more like a table.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...