Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Steps to use included Lookup tables that come with Splunk enterprise & ES

SamHTexas
Builder
‎03-20-2021 07:46 PM

Steps to use included Lookup tables that come with Splunk enterprise & ES. I have over 100 Lookup tables that I have in Splunk Enterprise & about 100 Lookup tables with ES. How ready are they to be used. What else do I have to do in order to put them to a good use?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-20-2021 11:59 PM

Hi @SamHTexas,

I'd start to check which ones are automatically updated by scripts or scheduled searches: these lookups don't need maintenance and it's better not touching them.

Then you should understand which of the remaining ones are still in use or not , which ones are in apps that you don't use and, more important thing, which ones you have to manually maintain.

When you'll have a compete situation, you'll be able to manage your lookups, eventually using the Lookup Editor App, but the first thing is a complete situation.

Ciao.

Giuseppe

Reply

SamHTexas
Builder
‎03-21-2021 12:19 PM

The information about which is supported via a script or automatically found in the properties of each look up right? Or found by trying to edit one? I am checking them. Grazie.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2021 12:24 PM

Hi, @SamHTexas ,

no they aren't in the properties, you have to search in the scheduled searches.

Ciao.

Giuseppe

0 Karma
Reply

SamHTexas
Builder
‎03-21-2021 01:30 PM

One more question please. So where are the KVstore based & scripted based located? 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-22-2021 12:05 AM

Hi @SamHTexas,

all the lookups (file, kv-store, script, etc...) are located on the Search Heads.

Ciao and happy splunking.

Giuseppe

P.S.: if the answer solves your need, please accept it for the other people of Community and Karma Points are appreciated 😉

See next time!

0 Karma
Reply

SamHTexas
Builder
‎03-22-2021 07:30 AM

In the Splunk environment I inherited. They are  on SHs & many on the ES server. Would the scripted & KV store be list under the Lookup Definitions? Grazie mille.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-22-2021 07:41 AM

Hi @SamHTexas,

yes, you can find them in the Lookup Definitions.

If you have a Search Head Cluster, you have to search Lookups definitions in only one of them because they are replicated on the other SHs

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...