Splunk Enterprise

Bug with summary searches and inputlookup filtering

knielsen
Contributor

Hello,

A while ago, we updated from 6.5.2 to 7.3.4, and only now I noticed a very bizarre bug and different behaviour than from the old version.

We use summary indexes a lot. You often have daily or hourly summaries, and the summary data should have the timestamp of that range, right?

Let's say daily, search is setup to collect from -1d@d to @d, and is scheduled to run at 2:32am on July 8.

simple meaningless example search:

 

index=_internal source=splunkd (host=hostnameA OR host=hostnameB) | stats count

 

When this runs on July 8, 2:32am it will generate a summary entry with a count and a timestamp of July 7 midnight.

Now, when you use inputlookup as a filter method, the time when the search ran is used instead.

Simple lookup table and search:

 

test.csv:

host
hostnameA
hostnameB

index=_internal source=splunkd [| inputlookup test.csv | fields host] | stats count

 

Now this will generate a summary entry with a count and timestamp of July 8, 2:32am!

While this is as bad as it is, one thing is even worse: This makes it impossible to backfill summaries in a meaningful way. The time used when inputlookup comes into play, it's not the scheduled time, but the time the search was executed. Therefor, when you backfill for 20 days, all data for those 20 days will have almost the same timestamp, from when you started to execute the backfill.

I tried

 

index=_internal source=splunkd | search [| inputlookup test.csv | fields host] | stats count

 

as well,. but it is broken in the same way.

Does anybody know if that is fixed in a later version? This must be a very bizarre bug, right?

Labels (2)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...