Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I get a list of all my lookups with their file size?

BuzzLights10
Explorer
‎12-05-2023 06:28 AM

Hey Splunkers,

I wanted to get a list of all the lookup files on my SH and their file sizes along with other data. I can't get the size from the rest API. Appreciate any and all answers. 

Below are the searches I've been trying to use:

| rest/servicesNS/-/-/data/lookup-table-files
| rename "eai:acl.app" as app, "eai:acl.owner" as owner, "eai:acl.sharing" as sharing, "eai:data" as path
| table title owner sharing app
|foreach title
[| inputlookup <<FIELD>>
| foreach * 
    [| eval b_<<FIELD>>=len(<<FIELD>>) + 1 ] 
| addtotals b_* fieldname=b 
| stats sum(b) as b 
| eval mb=b/1000/1000, gb=mb/1000 
| fields mb]

The foreach does not allow non-streaming commands and thus this does not work. Using a direct eval like below:

| rest/servicesNS/-/-/data/lookup-table-files
| rename "eai:acl.app" as app, "eai:acl.owner" as owner, "eai:acl.sharing" as sharing, "eai:data" as path
| table title owner sharing app
|eval size=
[| inputlookup 'title'
| foreach * 
    [| eval b_<<FIELD>>=len(<<FIELD>>) + 1 ] 
| addtotals b_* fieldname=b 
| stats sum(b) as b 
| eval mb=b/1000/1000, gb=mb/1000 
| fields mb]

This also does not work since the inner search cannot see the outer values. 

I have been trying to work with subsearches, foreach and the map command but couldn't get anywhere.


Thanks in advance folks

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-05-2023 06:52 AM

It may not be all-inclusive, but you can get lookup file sizes from the audit index.

index=_audit isdir=0 size lookups action IN (update created modified add) 
| stats latest(eval(size/1024/1024)) as size_mb latest(_time) as _time by path
---
If this reply helps you, Karma would be appreciated.
Reply

BuzzLights10
Explorer
‎12-05-2023 07:29 AM

Hey @richgalloway ,

Thanks for the reply!

Would I need to run this over a larger time range to get as many lookups in as possible? Any approximate how large a range would get the best results??

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-05-2023 07:40 AM

It depends on how often bundles are rebuilt on your system.  Start with 4 hours and add or subtract as necessary.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

BuzzLights10
Explorer
‎12-05-2023 07:42 AM

A majority of these are blacklisted from bundle replication and only exist on the SH cluster. I will check this out still.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...

Splunk and TLS: It doesn't have to be too hard

Overview Creating a TLS cert for Splunk usage is pretty much standard openssl.  To make life better, use an ...

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Lantern is a Splunk customer success center that provides practical guidance from Splunk experts on key ...