Solved: CSV lookup with multiple values for one field

epacke · ‎08-03-2018

Hi!
I'm pulling events from a monitoring system and these events only contains an id for the host/server being down. The other metadata is in a huge table separate from the event logs.

My question is, how would you recommend designing the indexing of these events if I wanted to tie the meta data to them?

Example:
Event:
name="MyServer", id="1000", state="down"

Metadata:
name="MyServer", id="1000", categories="server, "webserver", "tomcat"

My goal here is to get statistics per category, ie:
state=down | timechart count by category

Since the metadata is more or less static and consumes ~50MB a csv lookup or something similar would be ideal. Not sure though how to format the csv file for fields with multiple values.

Any advise would be most appreciated!

Kind regards,
Patrik

epacke · ‎08-03-2018

Found how to do it myself:

If the same key exists in the CSV file it will be added
host_name,category
MyServer,gerbils
MyServer,hamsters
MyServer,monsters

Then it got all the categories. Case closed!

View solution in original post

epacke · ‎08-03-2018

Found how to do it myself:

If the same key exists in the CSV file it will be added
host_name,category
MyServer,gerbils
MyServer,hamsters
MyServer,monsters

Then it got all the categories. Case closed!

CSV lookup with multiple values for one field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases