Getting Data In

Integrating a series of flat values into Splunk

srw46
Path Finder

Hello all,

I'm on the fish for ideas or anybody who has previous experience with this.

Essentially, we have two tables of (mostly) fixed data which we would like to 'teach' Splunk (for want of a better term).

To put it in context we have throughput files that report a transaction ID and a transaction time, Splunk grabs these fields no problem. Elsewhere in some flat tables we have transaction names (that relate to an ID) and a time threshold for each transaction time.

Is there anyway we can bring this data into the mix? If Splunk can know about the average for each transactions, and compare to the actual times (our main concern) and if it could line up the arbitrary transactions ID's with the meaningful names it would make analysis of the logs inifnitely more useful.

I'm a bit of a Splunk noob (actually, a lot of one) so sorry if there is precedent for this or some glaringly obvious answer. Really just looking for any sort of starting point.

Thanks in advance for any advice you can give. I can elaborate further if need be.

1 Solution

Lowell
Super Champion

I'm not "100%" sure what you mean by flat tables, but it sounds like what you are looking for is splunk's lookup mechanism, which is new in Splunk 4.x.

You have two different options for lookups:

  • Simple flat file (*.csv)
  • Scripted lookups (you write a small python script which does the heavy-lifting; which lets you do whatever kind of lookup you'd need, like a SQL query, internet lookup, or whatever else you need.)

Docs:

View solution in original post

Lowell
Super Champion

I'm not "100%" sure what you mean by flat tables, but it sounds like what you are looking for is splunk's lookup mechanism, which is new in Splunk 4.x.

You have two different options for lookups:

  • Simple flat file (*.csv)
  • Scripted lookups (you write a small python script which does the heavy-lifting; which lets you do whatever kind of lookup you'd need, like a SQL query, internet lookup, or whatever else you need.)

Docs:

Lowell
Super Champion

Great. If this answers your question, you can indicate so by click the check mark on the side.

0 Karma

srw46
Path Finder

Thank you Lowell, this is indeed what we were looking for!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...