I have an event as shown below that reports the replication status
cn=host2:1636,cn=host1:1389,ibm-replicaGroup=default,CN=Policy1
ibm-replicationPendingChangeCount=0
cn=host2:1636,cn=host1:1389,ibm-replicaGroup=default,O=org1
ibm-replicationPendingChangeCount=0
I have a CSV file that lists the status codes:
Decvalue Value Hexvalue Brief Description
0 LDAP_SUCCESS 0 The request was successful
1 LDAP_OPERATIONS_ERROR 1 An operations error occurred.
2 LDAP_PROTOCOL_ERROR 2 A protocol violation was detected.
3 LDAP_TIMELIMIT_EXCEEDED 3 An LDAP time limit was exceeded.
4 LDAP_SIZELIMIT_EXCEEDED 4 An LDAP size limit was exceeded.
5 LDAP_COMPARE_FALSE 5 A compare operation returned false.
I want to use the Lookup command to refer to the CSV file to list the status description.
My search so far is this:
host=my host index=web_logging source="mypath/report.txt"
Question: Where do I put the CSV file? I have One Search Head and three Indexers.
If you have your own app, put the CSV in SPLUNK_HOME/etc/apps/myapp/lookups. Otherwise, put it in SPLUNK_HOME/etc/system/lookups.
If you have your own app, put the CSV in SPLUNK_HOME/etc/apps/myapp/lookups. Otherwise, put it in SPLUNK_HOME/etc/system/lookups.