All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Possible incorrect lookup statement in Splunk App for AWS

imarks004
Path Finder
‎11-13-2015 11:16 AM

I am not seeing certain dashboard panels load data in the Splunk App for AWS and I believe it is related to a bad lookup. The lookup is lookup regions.csv region OUTPUT label as region. I do not believe you can rename (AS) the output name back to the original source field name. If I do lookup regions.csv region OUTPUT label as new_region it works or lookup regions.csv region OUTPUT label | rename label AS region it works. Should this lookup work as-is or is it a bug?

0 Karma
Reply

pchen_splunk
Splunk Employee
Splunk Employee
‎11-16-2015 01:21 PM

Hi, please try the following SQL in AWS app to see if an result. It uses the regions.csv as lookup. In my Splunk 6.3, it works. If you see any error pops, please post the error message here and the version of your splunk, as well as the content in /etc/apps/splunk_app_aws/lookups/regions.csv. 

`aws-config-resources(*, *, "AWS::EC2::Volume")`
| join resourceId type="outer" [search earliest=-1d `aws-description-snapshot($accountId$, $region$)`
| rename volume_id as resourceId, id as snapshotId] 
| eval snapTime=strptime(start_time, "%Y-%m-%dT%T") 
| eval diff=round((now()-snapTime)/86400,0) 
| where NOT (diff>0 AND diff<30) 
| sort -diff
| fillnull value="N/A"
| table resourceId, region, configuration.size, configuration.volumeType, configuration.state, snapshotId,start_time, diff
| lookup regions.csv region OUTPUT label as region
| rename resourceId as ID, region as Region, configuration.size as "Size (GB)", configuration.volumeType as Type, configuration.state as State, snapshotId as "Snapshot ID", start_time as "Latest Snapshot", diff as "Snapshot Age (days)"
0 Karma
Reply

imarks004
Path Finder
‎11-17-2015 04:38 AM

So no error, just the same behavior where region does not get populated. I am still running Splunk 6.2.2 (build 255606).

Example where no results come back.
index=aws sourcetype="aws:config" | lookup regions.csv region OUTPUT label as region | stats count by region

Example with the expected results.
index=aws sourcetype="aws:config" | lookup regions.csv region OUTPUT label as aa_region | stats count by aa_region

splunk_app_aws/lookups/regions.csv
region,location,lat,lon,label
ap-northeast-1,Tokyo,35.41,139.42,"Asia Pacific (Tokyo)"
ap-southeast-1,Singapore,1.37,103.8,"Asia Pacific (Singapore)"
ap-southeast-2,Sydney,-33.86,151.2,"Asia Pacific (Sydney)"
eu-central-1,Frankfurt,50.11,8.68,"EU (Frankfurt)"
eu-west-1,Ireland,53,-8,"EU (Ireland)"
sa-east-1,Sao Paulo,-23.34,-46.38,"South America (Sao Paulo)"
us-east-1,Virginia,38.13,-78.45,"US East (N. Virginia)"
us-west-1,California,41.48,-120.53,"US West (N. California)"
us-west-2,Oregon,46.15,-123.88,"US West (Oregon)"

0 Karma
Reply

czhang_splunk
Splunk Employee
Splunk Employee
‎11-23-2015 02:23 AM

Hi, thank you for the feedback! I have tested it on both 6.2.2 and 6.2.7. It works on 6.2.7, but broken on 6.2.2 😞
So I would say it is a bug on 6.2.2

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...