topic Re: What is Placeholder? How to create it? How it works in lookup? in Splunk Search

What is Placeholder? How to create it and how does it works in lookup?

alexspunkshell — Mon, 28 Mar 2022 21:20:11 GMT

Can someone help with Splunk Placeholder?

What is Placeholder? How to create it? How does it work in lookup?

How to make changes to existing Placeholder

Re: What is Placeholder? How to create it? How it works in lookup?

richgalloway — Fri, 25 Mar 2022 15:25:07 GMT

Please tell us more. Where did Wlist.csv come from? What app is it? "PLACEHOLDER" must have been inserted by the author of the lookup file or the app.

Re: What is Placeholder? How to create it? How it works in lookup?

PickleRick — Fri, 25 Mar 2022 16:04:41 GMT

In general, a placeholder is something that - as the name suggests - holds the place. It is usually used instead of a real data, for example, to make sure that the data structure is right.

Most probably someone who created the lookup put a "PLACEHOLDER" value there to make clear that this is not an example of a real production data but it's just put there to keep the table structure with something inside.

It's in no way a special value for the lookup. It's treated as any other lookup value.

Re: What is Placeholder? How to create it? How it works in lookup?

alexspunkshell — Fri, 25 Mar 2022 16:34:50 GMT

@richgalloway @PickleRick Thanks for your response

I have a below query. It uses the lookup and I can get the results.

But, when I check that lookup table there is no data. It just shows a placeholder.

I also checked in lookup table & lookup definition. But I am unable to find such a lookup name available but I am getting the results for my query.

Could you please help me with how it is working here?

Re: What is Placeholder? How to create it? How it works in lookup?

PickleRick — Fri, 25 Mar 2022 17:15:18 GMT

This is a relatively normal practice - you either define a lookup or a macro to store some configuration parameters. In your case it's supposed to be a list of hosts which should for whatever reason be excluded from your search.

This way you externalize the configuration part from the logic.

Let's say you create an app which provides some reports and dashboards. If you "export" the settings to an alias or lookup, you can easily maintain the dashboards/reports/whatevers regardless of what the user of the app configured in those aliases or lookups. This way you can easily maintain your app and upgrade functionality and searches behind the app functionality and it doesn't touch user's configuration.

For example - if I create an app with a dashboard pulling data from an index containing events regarding, let's say, your OpenStack infrastructure. As I have no knowledge about your splunk environment I have no way of knowing where you store your events. So I can either hardcode index names into my searches making the app very inconvenient for you to use since you have to conform strictly to index names (which could be conflicting with some other apps if they were written equally badly) or I can externalize that index definition into an alias or lookup. This way I'll put into my app search like

`openstack_indexes` <my_search>

[ | inputlookup openstack_indexes | table index ] <my_search>

And you wanting to use my app have to define a macro called openstack_indexes which will expand to something like

index=my_openstack_events

or a lookup which has field called index holding index names.

And coming back to your case - if your wlist.csv lookup contains only the placeholder you effectively don't add any reasonable constraints on your search so it works as if that condition using inputlookup was not present at all (because you're adding a condition of NOT host=PLACEHOLDER to your search.

If you added some lines to the wlist.csv lookup, with values of host1, host2 and host3 in the host field (the notes field is ignored in your subsearch) the first part of your search would effectively get expanded after the subsearch execution to

index=* component=HostWide NOT (host=host1 OR host=host2 OR host=host3 OR host=PLACEHOLDER)

Assuming that you left the PLACEHOLDER where it is.

Re: What is Placeholder? How to create it? How it works in lookup?

alexspunkshell — Sat, 26 Mar 2022 07:26:25 GMT

@PickleRick Thanks for your detailed information.

Now I want to edit the info in the existing lookup file. Can u please help me with how to download the original lookup? Where I can find it?

I can find in Setting --> Lookup

Since the lookup is showing a placeholder, how to make the changes in the placeholder?

Re: What is Placeholder? How to create it? How it works in lookup?

PickleRick — Sat, 26 Mar 2022 08:15:10 GMT

There are several ways of modifying lookups:

1) Use outputlookup command to write results of your search to a lookup

2) Delete old csv file and upload new one (works with csv-backed lookups)

3) Install lookup editor app - https://splunkbase.splunk.com/app/1724/