Splunk Search

What is Placeholder? How to create it and how does it works in lookup?

alexspunkshell
Contributor

Can someone help with Splunk Placeholder?

What is Placeholder? How to create it? How does it work in lookup?

How to make changes to existing Placeholder

alexspunkshell_0-1648221388516.png

 

Labels (3)
Tags (2)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

This is a relatively normal practice - you either define a lookup or a macro to store some configuration parameters. In your case it's supposed to be a list of hosts which should for whatever reason be excluded from your search.

This way you externalize the configuration part from the logic.

Let's say you create an app which provides some reports and dashboards. If you "export" the settings to an alias or lookup, you can easily maintain the dashboards/reports/whatevers regardless of what the user of the app configured in those aliases or lookups. This way you can easily maintain your app and upgrade functionality and searches behind the app functionality and it doesn't touch user's configuration.

For example - if I create an app with a dashboard pulling data from an index containing events regarding, let's say, your OpenStack infrastructure. As I have no knowledge about your splunk environment I have no way of knowing where you store your events. So I can either hardcode index names into my searches making the app very inconvenient for you to use since you have to conform strictly to index names (which could be conflicting with some other apps if they were written equally badly) or I can externalize that index definition into an alias or lookup. This way I'll put into my app search like

`openstack_indexes` <my_search>

or

[ | inputlookup openstack_indexes | table index ] <my_search>

And you wanting to use my app have to define a macro called openstack_indexes which will expand to something like

index=my_openstack_events

 or a lookup which has field called index holding index names.

And coming back to your case - if your wlist.csv lookup contains only the placeholder you effectively don't add any reasonable constraints on your search so it works as if that condition using inputlookup was not present at all (because you're adding a condition of NOT host=PLACEHOLDER to your search.

If you added some lines to the wlist.csv lookup, with values of host1, host2 and host3 in the host field (the notes field is ignored in your subsearch) the first part of your search would effectively get expanded after the subsearch execution to

index=* component=HostWide NOT (host=host1 OR host=host2 OR host=host3 OR host=PLACEHOLDER)

 Assuming that you left the PLACEHOLDER where it is.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

In general, a placeholder is something that - as the name suggests - holds the place. It is usually used instead of a real data, for example, to make sure that the data structure is right.

Most probably someone who created the lookup put a "PLACEHOLDER" value there to make clear that this is not an example of a real production data but it's just put there to keep the table structure with something inside.

It's in no way a special value for the lookup. It's treated as any other lookup value.

richgalloway
SplunkTrust
SplunkTrust

Please tell us more.  Where did Wlist.csv come from?  What app is it?  "PLACEHOLDER" must have been inserted by the author of the lookup file or the app.

---
If this reply helps you, Karma would be appreciated.
0 Karma

alexspunkshell
Contributor

@richgalloway  @PickleRick  Thanks for your response

I have a below query. It uses the lookup and I can get the results. 

But, when I check that lookup table there is no data. It just shows a placeholder.

I also checked in lookup table & lookup definition. But I am unable to find such a lookup name available but I am getting the results for my query.

Could you please help me with how it is working here?

index=* component=HostWide NOT [|inputlookup wlist.csv | fields host]
| eval used_cpu = 100 - 'data.cpu_idle_pct'
| stats avg(used_cpu) as used_cpu by host
| fieldformat used_cpu=round(used_cpu,1)
| where used_cpu > `200_cpu_threshold`

alexspunkshell_0-1648225965100.png

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

This is a relatively normal practice - you either define a lookup or a macro to store some configuration parameters. In your case it's supposed to be a list of hosts which should for whatever reason be excluded from your search.

This way you externalize the configuration part from the logic.

Let's say you create an app which provides some reports and dashboards. If you "export" the settings to an alias or lookup, you can easily maintain the dashboards/reports/whatevers regardless of what the user of the app configured in those aliases or lookups. This way you can easily maintain your app and upgrade functionality and searches behind the app functionality and it doesn't touch user's configuration.

For example - if I create an app with a dashboard pulling data from an index containing events regarding, let's say, your OpenStack infrastructure. As I have no knowledge about your splunk environment I have no way of knowing where you store your events. So I can either hardcode index names into my searches making the app very inconvenient for you to use since you have to conform strictly to index names (which could be conflicting with some other apps if they were written equally badly) or I can externalize that index definition into an alias or lookup. This way I'll put into my app search like

`openstack_indexes` <my_search>

or

[ | inputlookup openstack_indexes | table index ] <my_search>

And you wanting to use my app have to define a macro called openstack_indexes which will expand to something like

index=my_openstack_events

 or a lookup which has field called index holding index names.

And coming back to your case - if your wlist.csv lookup contains only the placeholder you effectively don't add any reasonable constraints on your search so it works as if that condition using inputlookup was not present at all (because you're adding a condition of NOT host=PLACEHOLDER to your search.

If you added some lines to the wlist.csv lookup, with values of host1, host2 and host3 in the host field (the notes field is ignored in your subsearch) the first part of your search would effectively get expanded after the subsearch execution to

index=* component=HostWide NOT (host=host1 OR host=host2 OR host=host3 OR host=PLACEHOLDER)

 Assuming that you left the PLACEHOLDER where it is.

alexspunkshell
Contributor

@PickleRick  Thanks for your detailed information.

Now I want to edit the info in the existing lookup file. Can u please help me with how to download the original lookup? Where I can find it?

I can find in Setting --> Lookup 

Since the lookup is showing a placeholder, how to make the changes in the placeholder?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

There are several ways of modifying lookups:

1) Use outputlookup command to write results of your search to a lookup

2) Delete old csv file and upload new one (works with csv-backed lookups)

3) Install lookup editor app - https://splunkbase.splunk.com/app/1724/

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...