Splunk Enterprise

Bug with summary searches and inputlookup filtering

knielsen
Contributor

Hello,

A while ago, we updated from 6.5.2 to 7.3.4, and only now I noticed a very bizarre bug and different behaviour than from the old version.

We use summary indexes a lot. You often have daily or hourly summaries, and the summary data should have the timestamp of that range, right?

Let's say daily, search is setup to collect from -1d@d to @d, and is scheduled to run at 2:32am on July 8.

simple meaningless example search:

 

index=_internal source=splunkd (host=hostnameA OR host=hostnameB) | stats count

 

When this runs on July 8, 2:32am it will generate a summary entry with a count and a timestamp of July 7 midnight.

Now, when you use inputlookup as a filter method, the time when the search ran is used instead.

Simple lookup table and search:

 

test.csv:

host
hostnameA
hostnameB

index=_internal source=splunkd [| inputlookup test.csv | fields host] | stats count

 

Now this will generate a summary entry with a count and timestamp of July 8, 2:32am!

While this is as bad as it is, one thing is even worse: This makes it impossible to backfill summaries in a meaningful way. The time used when inputlookup comes into play, it's not the scheduled time, but the time the search was executed. Therefor, when you backfill for 20 days, all data for those 20 days will have almost the same timestamp, from when you started to execute the backfill.

I tried

 

index=_internal source=splunkd | search [| inputlookup test.csv | fields host] | stats count

 

as well,. but it is broken in the same way.

Does anybody know if that is fixed in a later version? This must be a very bizarre bug, right?

Labels (2)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...