All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Possible incorrect lookup statement in Splunk App for AWS

imarks004
Path Finder
‎11-13-2015 11:16 AM

I am not seeing certain dashboard panels load data in the Splunk App for AWS and I believe it is related to a bad lookup. The lookup is lookup regions.csv region OUTPUT label as region. I do not believe you can rename (AS) the output name back to the original source field name. If I do lookup regions.csv region OUTPUT label as new_region it works or lookup regions.csv region OUTPUT label | rename label AS region it works. Should this lookup work as-is or is it a bug?

0 Karma
Reply

pchen_splunk
Splunk Employee
Splunk Employee
‎11-16-2015 01:21 PM

Hi, please try the following SQL in AWS app to see if an result. It uses the regions.csv as lookup. In my Splunk 6.3, it works. If you see any error pops, please post the error message here and the version of your splunk, as well as the content in /etc/apps/splunk_app_aws/lookups/regions.csv. 

`aws-config-resources(*, *, "AWS::EC2::Volume")`
| join resourceId type="outer" [search earliest=-1d `aws-description-snapshot($accountId$, $region$)`
| rename volume_id as resourceId, id as snapshotId] 
| eval snapTime=strptime(start_time, "%Y-%m-%dT%T") 
| eval diff=round((now()-snapTime)/86400,0) 
| where NOT (diff>0 AND diff<30) 
| sort -diff
| fillnull value="N/A"
| table resourceId, region, configuration.size, configuration.volumeType, configuration.state, snapshotId,start_time, diff
| lookup regions.csv region OUTPUT label as region
| rename resourceId as ID, region as Region, configuration.size as "Size (GB)", configuration.volumeType as Type, configuration.state as State, snapshotId as "Snapshot ID", start_time as "Latest Snapshot", diff as "Snapshot Age (days)"
0 Karma
Reply

imarks004
Path Finder
‎11-17-2015 04:38 AM

So no error, just the same behavior where region does not get populated. I am still running Splunk 6.2.2 (build 255606).

Example where no results come back.
index=aws sourcetype="aws:config" | lookup regions.csv region OUTPUT label as region | stats count by region

Example with the expected results.
index=aws sourcetype="aws:config" | lookup regions.csv region OUTPUT label as aa_region | stats count by aa_region

splunk_app_aws/lookups/regions.csv
region,location,lat,lon,label
ap-northeast-1,Tokyo,35.41,139.42,"Asia Pacific (Tokyo)"
ap-southeast-1,Singapore,1.37,103.8,"Asia Pacific (Singapore)"
ap-southeast-2,Sydney,-33.86,151.2,"Asia Pacific (Sydney)"
eu-central-1,Frankfurt,50.11,8.68,"EU (Frankfurt)"
eu-west-1,Ireland,53,-8,"EU (Ireland)"
sa-east-1,Sao Paulo,-23.34,-46.38,"South America (Sao Paulo)"
us-east-1,Virginia,38.13,-78.45,"US East (N. Virginia)"
us-west-1,California,41.48,-120.53,"US West (N. California)"
us-west-2,Oregon,46.15,-123.88,"US West (Oregon)"

0 Karma
Reply

czhang_splunk
Splunk Employee
Splunk Employee
‎11-23-2015 02:23 AM

Hi, thank you for the feedback! I have tested it on both 6.2.2 and 6.2.7. It works on 6.2.7, but broken on 6.2.2 😞
So I would say it is a bug on 6.2.2

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...