We have several applications that we monitor and have written dashboards for. We would like to have one lookup table for each application. The lookup table would contain data such as technical error codes, Business Error Codes and SLA for example. We are having trouble getting this schema to work using an abstract CSV file (see example below).
Has anyone successfully implemented such a data structure? If so, how do you show both Technical Errors, and SLA data in the same search?
Name | Value
TechnicalError | 123
TechnicalError | 456
SLA | 99.9
We need to search for Technical errors (linked to status code in the data). And put an SLA line on the chart as well. I've seen the post on how to do that, but how do we do both from the same lookup?
Your CSV file needs to have commas - or is this just how you are showing it here? And are the field names really Name and Value?
Why must it be only one lookup? It seems reasonable that there would be a lookup table for error codes separate from a table for SLAs.
This is from Splunk documents. I have used this to create my lookup files. (http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources)
Here's an example of setting up lookups for HTTP status codes in an access_combined log. In this example, you want to match the status field in your lookup table (http_status.csv) with the field in your events. Then, you add the status description and status type fields into your events. The following is the http_status.csv file. You can put this into $SPLUNK_HOME/etc/apps/<app_name>/lookups/. If you're using this in the Search App, put the file into $SPLUNK_HOME/etc/apps/search/lookups/: status,status_description,status_type 100,Continue,Informational 101,Switching Protocols,Informational 200,OK,Successful 201,Created,Successful 202,Accepted,Successful 203,Non-Authoritative Information,Successful 204,No Content,Successful 205,Reset Content,Successful 206,Partial Content,Successful 300,Multiple Choices,Redirection 301,Moved Permanently,Redirection 302,Found,Redirection 303,See Other,Redirection 304,Not Modified,Redirection 305,Use Proxy,Redirection
I think you are saying the same thing as the previous poster. Make two files. I would like to have a single file for each application. This file would contain both ErrorCodes and SLA information.
Perhaps that is not possible with Splunk.