Splunk Search

Abstract Lookup

tadb
New Member

We have several applications that we monitor and have written dashboards for. We would like to have one lookup table for each application. The lookup table would contain data such as technical error codes, Business Error Codes and SLA for example. We are having trouble getting this schema to work using an abstract CSV file (see example below).

Has anyone successfully implemented such a data structure? If so, how do you show both Technical Errors, and SLA data in the same search?

Name | Value

TechnicalError | 123

TechnicalError | 456

SLA | 99.9

We need to search for Technical errors (linked to status code in the data). And put an SLA line on the chart as well. I've seen the post on how to do that, but how do we do both from the same lookup?

Tags (1)
0 Karma

davecroto
Splunk Employee
Splunk Employee

Is SLA always going to be in a line chart? And will it be static?

0 Karma

davecroto
Splunk Employee
Splunk Employee

Is SLA always going to be in a line chart?

0 Karma

Michael_Schyma1
Contributor

This is from Splunk documents. I have used this to create my lookup files. (http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources)

Here's an example of setting up lookups for HTTP status codes in an access_combined log. In this example, you want to match the status field in your lookup table (http_status.csv) with the field in your events. Then, you add the status description and status type fields into your events.

The following is the http_status.csv file. You can put this into $SPLUNK_HOME/etc/apps/<app_name>/lookups/. If you're using this in the Search App, put the file into $SPLUNK_HOME/etc/apps/search/lookups/:

status,status_description,status_type
100,Continue,Informational
101,Switching Protocols,Informational
200,OK,Successful
201,Created,Successful
202,Accepted,Successful
203,Non-Authoritative Information,Successful
204,No Content,Successful
205,Reset Content,Successful
206,Partial Content,Successful
300,Multiple Choices,Redirection
301,Moved Permanently,Redirection
302,Found,Redirection
303,See Other,Redirection
304,Not Modified,Redirection
305,Use Proxy,Redirection
0 Karma

tadb
New Member

I think you are saying the same thing as the previous poster. Make two files. I would like to have a single file for each application. This file would contain both ErrorCodes and SLA information.

Perhaps that is not possible with Splunk.

0 Karma

lguinn2
Legend

Your CSV file needs to have commas - or is this just how you are showing it here? And are the field names really Name and Value?

Why must it be only one lookup? It seems reasonable that there would be a lookup table for error codes separate from a table for SLAs.

0 Karma

tadb
New Member

Yes, the files is comma separated. I just put the | in to make it look more like a table.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...