Splunk Search

How to figure out which lookup .csv file a certain index is using?

New Member

In Splunk, how do I figure out which lookup .csv file a certain index is using? In other words, how to find which index is using a certain lookup file in Splunk?

0 Karma

SplunkTrust
SplunkTrust

Okay, here are some debug steps

First, find the search that is loading the summary index.

Second, run that search independently for a time in the past that has already been added to the summary index, but without the collect` statement.

Third, run a similar search against your summary index, and see if they match.

If not, then we need to identify why your summary index is wrong, and by how much.

0 Karma

New Member

Hi DalJeanis,
I have another different question. Not sure how to ask you the question directly , hence asking in the same thread, sorry!

This is the query I am trying to use to pull memory usage %

index=ff sourcetype=metrics_tbl [|inputlookup Domains_Instances_Servers.csv | search Instance_Name="r_prod_" Domain_Name="r_prod_cache_01" OR "r_prod_cache_03” OR "r_prod_cache_05” OR "r_prod_cache_07” LOB="Digi" Domain_Layer="Cacheis” | table Server_Name | rename Server_Name as machine ] earliest=-16m@m latest=-1m@m | bin _time span=15m | eval ServerMem=if(metric_category="OsResource",Memory,0) | eventstats count(eval(metric_category="OsResource")) as OSEvents, sum(ServerCPU) as TotalCPU , sum(ServerMem) as TotalMem by machine, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | eval avgCpu=round(TotalCPU/OSEvents,2) ,avgMem=round(TotalMem/OSEvents,2) | stats values(avgCpu) as "ServerCPU%" , values(avgMem) as "ServerMem%" by machine, _time, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | rename machine as Server, process as Instance, ServerMem% as val_ServerMem% | eval ts_time = _time * 1000 | top limit=1 Server by ts_time, val_ServerMem%, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | table ts_time, Server, LOB, Domain_Layer, Channel, Domain_Name, Instance_Name, val_ServerMem%

In the output/result table values are displayed only for ts_time, Server,val_ServerMem% and remaining all columns(LOB, Domain_Layer, Channel, Domain_Name, Instance_Name) are empty. How can i get values for all these " LOB, Domain_Layer, Channel, Domain_Name, Instance_Name " as well?

Appreciate your help a lot!! I'm desperate, please help!

0 Karma

New Member

I'm new to splunk. Could you please provide some example queries which would make more sense to me for all the steps you mentioned? Please!!

0 Karma

New Member

more details:-

I have two indices. I am trying to compare them both. When I used 1st index (indexA) I am getting certain result and when I use 2nd (indexB) I am getting another result, but it's supposed to give same result.
What I am trying to do: calculate peak TPS value of my domains and instances using those indices. indexA is not summary index. indexB is summary index. How can i verify what is the difference b/w those indices and why they are showing different TPS values at same selected time range?

0 Karma

Splunk Employee
Splunk Employee

Now I am completely lost. How does relate to lookup .csv files?

0 Karma

New Member

Forget about lookup files. I might have explained in a wrong way in the first comment/question.
Please take my second comment/question as the main question and please provide me solution.

0 Karma

Splunk Employee
Splunk Employee

Tell us more, please. Indices are not using lookup files. Lookup files are used in search queries via the lookup or inputlookup command, or you can have automatic lookups that are tied to a sourcetype and executed when you run a search that includes events for that sourcetype.

0 Karma

New Member

I have two indices. I am trying to compare them both. When I used 1st index (indexA) I am getting certain result and when I use 2nd (indexB) I am getting another result, but it's supposed to give same result.
What I am trying to do: calculate peak TPS value of my domains and instances using those indices. indexA is not summary index. indexB is summary index. How can i verify what is the difference b/w those indices and why they are showing different TPS values at same selected time range?

0 Karma