Getting Data In

Is there a way to tell what is populating a LOOKUP csv file?

Gregski11
Contributor

I inherited a Splunk environment I was informed the other day that a computers.csv lookup is not generating any results, is there a way to find out what should be populating that file which is currently empty, I did find the App which houses the lookup csv 

Labels (1)
0 Karma

Gregski11
Contributor

I ranned this and found some clues

 

 

| rest splunk_server=local /servicesNS/-/-/saved/searches
| table title eai:acl.app eai:acl.owner search
| where match(search,"computers.csv")

richgalloway
SplunkTrust
SplunkTrust

Search your saved searches for the name of the lookup file.

 

| rest /servicesNS/-/-/saved/searches splunk_server=local
| search search="*computers.csv*" search="*outputlookup*"
| table title

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

Gregski11
Contributor

thanks Rich I ran those searches in two separate Splunk environments (the lookup is working in one but not in the other) and got this error in both:

No results found. Try expanding the time range.

 

even after expanding the time range to 30 days I get nothing, plus I don't understand what you are having me do, could you explain please 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I left out some key wildcards.  I've updated my answer.

Like I said in the answer, the query searches your saved searches, reports, and alerts (all the same thing, really) for references to the lookup file.  It also searches for the outputlookup command to help narrow the scope to those searches that write to the lookup.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...