Splunk Search

CSV lookup with multiple values for one field

Path Finder

Hi!
I'm pulling events from a monitoring system and these events only contains an id for the host/server being down. The other metadata is in a huge table separate from the event logs.

My question is, how would you recommend designing the indexing of these events if I wanted to tie the meta data to them?

Example:
Event:
name="MyServer", id="1000", state="down"

Metadata:
name="MyServer", id="1000", categories="server, "webserver", "tomcat"

My goal here is to get statistics per category, ie:
state=down | timechart count by category

Since the metadata is more or less static and consumes ~50MB a csv lookup or something similar would be ideal. Not sure though how to format the csv file for fields with multiple values.

Any advise would be most appreciated!

Kind regards,
Patrik

0 Karma
1 Solution

Path Finder

Found how to do it myself:

If the same key exists in the CSV file it will be added
host_name,category
MyServer,gerbils
MyServer,hamsters
MyServer,monsters

Then it got all the categories. Case closed!

View solution in original post

0 Karma

Path Finder

Found how to do it myself:

If the same key exists in the CSV file it will be added
host_name,category
MyServer,gerbils
MyServer,hamsters
MyServer,monsters

Then it got all the categories. Case closed!

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!