Getting Data In

size and timestamp of lookup files


The lookup table files view only shows some basic info about the file.
I often like to know the size and the age of the files.
I've seen some pyhton additions to show that, but the lookup table file view seems to be the logical place to add such info.

Can this be added in a future splunk release?

0 Karma


If you were looking to add this now, (and assuming you are on Linux) you could make a quick and dirty script that collects that info into index ...

ie. if you made an app on your search head

mkdir /opt/splunk/etc/apps/lookup_evaluator
mkdir /opt/splunk/etc/apps/lookup_evaluator/bin
mkdir /opt/splunk/etc/apps/lookup_evaluator/local
mkdir /opt/splunk/etc/apps/lookup_evaluator/metadata

And then made a script that grabs what you are looking for:

/opt/splunk/bin/lookup_evaluator/bin# cat ./ 
ls -lah $(/opt/splunk/bin/splunk btool lookups list --debug | egrep ".csv|.kmz" | sed -r "s/(.+)\s+\[\w+\.\w+\]/\1/g")

And then made an inputs.conf to run that script

/opt/splunk/etc/apps/lookup_evaluator/local# cat ./inputs.conf 
interval = 60
index = main
sourcetype = lookuplookups

And then made a props.conf to evaluate the output from the script

/opt/splunk/etc/apps/lookup_evaluator/local# cat ./props.conf 
LINE_BREAKER = ([\r\n]+)
EXTRACT-01-lookuplookupsfields = ^(?<permissions>\S+)\s+(?<linkcount>\d+)\s+(?<owner>\S+)\s+(?<group>\S+)\s+(?<size>\S+)\s+(?<last_modified_date>\w{3}\s+\d+\s\d+\:\d+)\s+(?<path>.+)
EVAL-last_modified_timestamp = strptime(last_modified_date, "%b %d %H:%M")
EVAL-sec_since_last_modified = now() - last_modified_timestamp

and then finally adding /local/app.conf and metadata/local.meta files to make this a proper app:

/opt/splunk/etc/apps/lookup_evaluator/local# cat ./app.conf 
is_configured = true

is_visible = 0
label = lookup_evaluator

author = Me
description = Collect last modified time and size of lookups in Splunk
version = 0.0.1

id = lookup_evaluator


/opt/splunk/etc/apps/lookup_evaluator/metadata# cat ./local.meta 
access = read : [*], write : [admin]
export = system

You would end up with events that gave you the data you were looking for and it would be timestamped over time so you could track growth and change over time of your lookup files.

Hope this helps.


Thanks for your comments Darren,
Unfortunately I have no access at the command line level so implementing this requires me to go to the application managment team.
It seems such an easy feature to add to the gui....

0 Karma


If you have sufficient access on Splunk, if you create all the files, then compress them into a tar.gz file, then use: Apps -> Manage Apps -> Install app from file, to load the app onto your splunk installation, you may not need command line access. Then restart the Splunk instance and it should work fine.

Splunk will run on your laptop/desktop so you can create and test the configs before you install them on the production instance..

0 Karma


If this reply helps you, an upvote would be appreciated.
0 Karma


Thanks for the pointer! Just created it as a new idea...

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>