Re: Can i use data input for a csv file which is a...

esmonder · ‎05-15-2018

Would there be any issues in adding in a csv files as a data input(files monitoring) that is already a lookup file?
I want to do this because searching the inputlookup table is really slow, and setting up custom alerts based on the inputlookup tables doesn't seem to be yielding any alerts (see: [https]://answers.splunk.com/answers/656957/custom-alert-based-on-inputlookup-table-not-sendin.html)

So just wondering if there is any value in the above proposed move and if there would any potential repercussions if i want to remove the index afterwards?

somesoni2 · ‎05-15-2018

IMO, searching on lookup table should be faster then that of indexed data, as it's a static data available locally on the search head. Are you running the query that you're in the post you shared? How many rows are there in the lookup table?

esmonder · ‎05-15-2018

Yes i am running the query in the post i shared. I figured that the eval time field is being run at eval time, that is why it is not sending alerts.

i have 3 input tables, and they all seem to take a while.
The biggest one has about 5 million rows

p_gurav · ‎05-15-2018

yes you can do that. But can you also share sample data and search you are trying to build?

Can i use data input for a csv file which is already a lookup file?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk