All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does the tSessions_Lookup_Update report take a long time to complete?

danielbb
Motivator
‎01-07-2020 12:55 PM

The tSessions_Lookup_Update report from the splunk_app_windows_infrastructure is the main or only report for which we see many skipped searches.

The code is -

`tsessions` 
| eval _key = session_id 
| sort 0 _time 
| outputlookup tSessions append=true

| inputlookup tSessions is not even responsive.

What can it be?

0 Karma
Reply

danielbb
Motivator
‎01-14-2020 09:44 AM

Looking via the MC at search->kvstore->instance and we see -

alt text

We see 268,809,800 objects for this collection. Does it make sense to have so many objects? Should we maybe initialize this collection?

0 Karma
Reply

lim2
Communicator
‎06-23-2021 02:11 PM

You may need to add the index, especially if running the SPL as Splunk admin. Else will look through all available Splunk indexes. The actual saved search for tSessions_Lookup_Update in https://splunkbase.splunk.com/app/1680/ (Splunk App for Windows Infrastructure) included index as following.

`wineventlog-index` `tsessions`|eval _key = session_id |sort 0 _time|outputlookup tSessions  append=true

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...