July 27th, 2009
40 Days of 4.0: Enriching Data with Lookups (Part 1)
| Topics: | Homepage, how-to |
|---|---|
| Tags: | 4.0, 40 days of 4.0, lookup |
| Share: |
Many customers tell me that they see a lot of value when Splunk is used to enrich IT data with information from another source. An example of such an enrichment could be a cross reference between a customer’s username found in an application log and that same customer’s information extracted from a contact management system. How amazing would it be to have a customer service representative make a phone call to Mr. Smith to ask if he needed help logging onto their system after a number of failed logins?
Splunk has always been able to do data enrichment, but the newly released Splunk 4 really simplifies the process. In this post, I’ll give a quick examply of using a CSV file to provide data enrichment to a application log. In future posts, I’ll show how to use an external database as the data source.
Let’s start with some mock application data. To keep things simple, we’ll use this as our application log:
Jul 27 08:35:09 appname=app4 error=123
Jul 27 08:35:19 appname=app3 error=123
Jul 27 08:35:29 appname=app1 error=163
Jul 27 08:35:39 appname=app1 error=123
Jul 27 08:35:49 appname=app1 error=133
Jul 27 08:35:59 appname=app1 error=123
Jul 27 08:36:09 appname=app1 error=123
