OK thanks you , if i resume my to do list: Step 1: Create the CSV file for the lookup 1. Create a CSV file, for example runbook_lookup.csv, with at least these columns: alert_name, runbook_url CPU > 90%, https://wiki.moc.local/runbooks/cpu_high Memory > 80%, https://wiki.moc.local/runbooks/memory_high Web Service Down, https://wiki.moc.local/runbooks/web_service_down DB Error, https://wiki.moc.local/runbooks/db_error • alert_name → must match the exact name of your Splunk alert. • runbook_url → link to the runbook or procedure. Step 2: Upload the CSV to Splunk 1. In Splunk Web, go to Settings → Lookups → Lookup table files → Add new 2. Choose your app (e.g., Search & Reporting) 3. Select the CSV file runbook_lookup.csv 4. Give it an internal name (e.g., runbook_lookup.csv)   Step 3: Create the Lookup Definition 1. Still in Settings → Lookups → Lookup definitions → Add new 2. Definition name: runbook_lookup_def 3. Lookup file: select runbook_lookup.csv 4. Leave the other parameters as default   Step 4: Use the lookup in your search/alert Let's say you have an alert that is triggered: alert_type: index=server_logs severity=critical | table _time alert_type host severity | lookup runbook_lookup_def alert_name AS alert_type OUTPUT runbook_url | table _time alert_type host severity runbook_url     it's that correct  ?  do you agree ... View more

Thanks for the explanation.  Wouldn't it be simpler to use a CSV file to query and associate an alert type with a procedure? That would be easier to manage than coding it in each alert, wouldn't it? ... View more

Ciao Giuseppe,  I would like Splunk to not only notify me of the alert but also provide the procedure to follow for the monitoring team. Is this possible? Do I need to use a CSV file and the SPL language?   Thank you  michel ... View more