Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to only show the latest contents of a lookup file on a dashboard?

kuga_mbsd
New Member
‎11-30-2015 11:07 PM

Hi there,

My external program is retrieving the data and creating lookup table every night. The files are stored like below.
$SPLUNK_HOME/etc/apps/MyApp/lookups/FILE_YYYYmmdd.

The thing is I have to check the lookup table manually and give the list to my colleague every time since they don't know SPL at all.
Is there any good SPL to display only the latest contents of lookup flle on dashboard?

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lucas_K
Motivator
‎12-01-2015 07:53 PM

SPL can do it easy.

2 ways. You can either have it copy the data OR have the macro fill in the name based on an eval.

  1. You will have both the old with old filename and also a newer one that can always be accessed with the same name/definition.

Just do an

inputlookup `latest_lookup_file` | outputlookup latestlookup

"latest_lookup_file" is macro that will figure out the file format that you specified automatically.
latestlookup should be a definition pointing to another csv file that users will always access.

ie. macros.conf

[latest_lookup_file]
definition = lower(strftime(relative_time(time(), "@d"), "FILE_%Y%m%d.csv"))
iseval = 1

Now schedule that inputlookup line as a savedsearch that is run some time after the your file is scheduled to be uploaded.

or 2. Use the macro from above and just call it directly.

inputlookup `latest_lookup_file`

That will automatically find the latest file. There won't be a copy but all your old ones will be there. The downside to this is that if your script doesn't run anything that uses this macro will fail the next day. Method 1 is safest.

Enjoy!

View solution in original post

Reply
Solved! Jump to solution
Solution

Lucas_K
Motivator
‎12-01-2015 07:53 PM

SPL can do it easy.

2 ways. You can either have it copy the data OR have the macro fill in the name based on an eval.

  1. You will have both the old with old filename and also a newer one that can always be accessed with the same name/definition.

Just do an

inputlookup `latest_lookup_file` | outputlookup latestlookup

"latest_lookup_file" is macro that will figure out the file format that you specified automatically.
latestlookup should be a definition pointing to another csv file that users will always access.

ie. macros.conf

[latest_lookup_file]
definition = lower(strftime(relative_time(time(), "@d"), "FILE_%Y%m%d.csv"))
iseval = 1

Now schedule that inputlookup line as a savedsearch that is run some time after the your file is scheduled to be uploaded.

or 2. Use the macro from above and just call it directly.

inputlookup `latest_lookup_file`

That will automatically find the latest file. There won't be a copy but all your old ones will be there. The downside to this is that if your script doesn't run anything that uses this macro will fail the next day. Method 1 is safest.

Enjoy!

Reply
Solved! Jump to solution

joxley
Path Finder
‎04-10-2016 03:26 PM

That's really clever! I love that you're using strftime to generate the filename 🙂

0 Karma
Reply
Solved! Jump to solution

kuga_mbsd
New Member
‎12-01-2015 08:00 PM

Thank you for your comment, Lucas.

Seems like it is doable with using macros.conf!
I've never configured this file but worth to try.

Thanks a bunch!!

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎12-01-2015 12:50 AM

Have you considered rotating the "old" lookup files instead? By this you wouldn't have to check a new lookup file every day.

  1. Copy lookup.csv file to lookup_current_date.csv
  2. Overwrite lookup.csv

You don't have to change anything in the SPL or in your dahsboards this way.

0 Karma
Reply
Solved! Jump to solution

kuga_mbsd
New Member
‎12-01-2015 01:07 AM

Thank you very much for your reply, DMohn.

I think your idea sounds good, however, I'm afraid that it doesnt work for my case because I need to keep the date of file creation at the file name for the records.

Please advise.

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎12-01-2015 02:51 AM

Is the file name "for the records" needed within the lookup as well?

Otherwise you could go for creating two files with your external data source: the lookup.csv which will be used by Splunk dashboard, and a FILE_YYYYmmdd, as you do currently. Furthermore, you could use a small script, which lists the contents of your lookup directory, splunk the results, and display the latest file name on your dashboard for reference.

0 Karma
Reply
Solved! Jump to solution

kuga_mbsd
New Member
‎12-01-2015 04:30 PM

well... yes, I was thinking exact your suggestions, to create two files or make script.
I was wondering if I could make it by SPL, but it seems undoable...

Anyway, thanks a lot, DMohn!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...