Solved: Re: CSV lookup with multiple values for one field

epacke · ‎08-03-2018

Hi!
I'm pulling events from a monitoring system and these events only contains an id for the host/server being down. The other metadata is in a huge table separate from the event logs.

My question is, how would you recommend designing the indexing of these events if I wanted to tie the meta data to them?

Example:
Event:
name="MyServer", id="1000", state="down"

Metadata:
name="MyServer", id="1000", categories="server, "webserver", "tomcat"

My goal here is to get statistics per category, ie:
state=down | timechart count by category

Since the metadata is more or less static and consumes ~50MB a csv lookup or something similar would be ideal. Not sure though how to format the csv file for fields with multiple values.

Any advise would be most appreciated!

Kind regards,
Patrik

epacke · ‎08-03-2018

Found how to do it myself:

If the same key exists in the CSV file it will be added
host_name,category
MyServer,gerbils
MyServer,hamsters
MyServer,monsters

Then it got all the categories. Case closed!

View solution in original post

epacke · ‎08-03-2018

Found how to do it myself:

If the same key exists in the CSV file it will be added
host_name,category
MyServer,gerbils
MyServer,hamsters
MyServer,monsters

Then it got all the categories. Case closed!

CSV lookup with multiple values for one field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation