Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I receiving inconsistent inputlookup behavior?

cvjbrooks
New Member
‎03-10-2022 09:56 AM

I am updating a CSV on disk via the search api using outputlookup.  Each time I run my script using the same source CSV, the CSV on disk is updated correctly. It shows the correct number of rows.

When I try to read the CSV via UI or the /jobs & /export API  it doesn't return the correct number of rows approximately 40% of the time

I run my script 10 times, and 6 times it's a perfect match, the row count is what I expect it to be, 4 times it fails with random number of rows returned.   Each time, the number of rows in the CSV on disk is correct though.  

From what I can see, I am not hitting quotas or limits and it doesn't seem to be related to system load. There isn't anything obvious to me in any logs either. 

My flow is like this:

  • API call with append=f to overwrite the CSV/set column names
  • Multiple API calls with append=t to add data (10 rows of data per call)
  • Final search to ensure the expected number of rows match

My search to validate is like this, and this is where the inconsistencies happen:

 

| inputlookup my_new_file.csv | table <column name, column name....>

 

My CSV is currently 110 columns, and 5625 rows. 

When it works, search returns the correct number of rows each time. When it doesn't work,  it consistently returns the wrong number.  To clarify, if i get 500 rows instead of the expected 5625, every time i search i will get 500 rows until I re-run my script to update the CSV on disk. 

 

Thanks

 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 09:59 AM

Are you running in a clustered environment, because it can take some time for the updates to be distributed across the whole cluster?

0 Karma
Reply

cvjbrooks
New Member
‎03-10-2022 10:15 AM

It is a cluster, but I am searching from the same instance I am writing to (not going through load balancer). 

I have a second script so I can check all three hosts in the cluster and the erroneous search results is  consistent across all of them despite the row count being correct on all. 

It seems to be replicating the CSV instantly from what i can tell. Regardless of which search head I hit, I get 735 rows returned even though all three search heads have the right row count in the CSV on disk. 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...