Splunk Search

CSV lookup with multiple values for one field

epacke
Path Finder

Hi!
I'm pulling events from a monitoring system and these events only contains an id for the host/server being down. The other metadata is in a huge table separate from the event logs.

My question is, how would you recommend designing the indexing of these events if I wanted to tie the meta data to them?

Example:
Event:
name="MyServer", id="1000", state="down"

Metadata:
name="MyServer", id="1000", categories="server, "webserver", "tomcat"

My goal here is to get statistics per category, ie:
state=down | timechart count by category

Since the metadata is more or less static and consumes ~50MB a csv lookup or something similar would be ideal. Not sure though how to format the csv file for fields with multiple values.

Any advise would be most appreciated!

Kind regards,
Patrik

0 Karma
1 Solution

epacke
Path Finder

Found how to do it myself:

If the same key exists in the CSV file it will be added
host_name,category
MyServer,gerbils
MyServer,hamsters
MyServer,monsters

Then it got all the categories. Case closed!

View solution in original post

0 Karma

epacke
Path Finder

Found how to do it myself:

If the same key exists in the CSV file it will be added
host_name,category
MyServer,gerbils
MyServer,hamsters
MyServer,monsters

Then it got all the categories. Case closed!

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...