Hello pipegrep,
I think you could resolve you problem with a single lookup, let's say hosts.csv, which would looks like:
host, role, owner
hosta, aaa, john
hostb, ccc, mary
now you could use your search like:
index="_internal" source="*metrics.log" group="per_host_thruput"| chart sum(kb) by series date_month | lookup hosts.csv host | sort + series
The search command would grab the corresponding Role and Owner from the lookup file and add the additional columns to your chart.
ps.: remember to save your lookup inside the $SPLUNK_HOME/etc/apps//lookups . `` normally is search.
Does that makes sense?
Cheers,
... View more