Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to perform lookups on summary index data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a lookup on sourcetype=vipservices
csv file has values like so
jurhash, jurhasfriendlyname
somehashvalue, somehashvalue_friendly_name
Works fine when i am running the lookup on the sourcetype, but when i populate a summary index and try to use the lookup the sourcetype gets renamed to "Stash".
What's the best way to preserve sourcetype or reference original sourcetype for the existing lookup to use against the summary index?
Any other workarounds would work also
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've given a couple of options below, but I do have a question: what does your populating search look like? I assumed that you were using sistats ...
Option 1 - you could use the lookup command when you retrieve the data from the summary index
index=yoursummaryindex saved_search=yoursavedsearch
| lookup yourlookupname jurhash OUTPUT juhasfriendlyname
| ... whatever you want to get out ...
Option 2 - put the lookup into the populating search (which I called yoursavedsearch in option 1):
sourcetype=vipservices | sistats whateverstats by whateverfields jushasfriendlyname
and then the juhasfriendlyname will be stored, like any other field, in the summary index. You will not need to do the lookup when you retrieve the data from the summary index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our populating search was this btw:
index="vip" sourcetype=vipservices
| transaction TR startswith="Operation Start" endswith="Operation End"
| eval elapsed_wait=elapsed_operation-elapsed_request
| sistats count, avg(elapsed_operation) as total-avg, perc80(elapsed_operation) as total-80, perc90(elapsed_operation) as total-90,
perc95(elapsed_operation) as total-95, perc98(elapsed_operation) as total-98, perc99(elapsed_operation) as total-99,max(elapsed_operation) as total-max,
avg(elapsed_responder) as resp-avg, max(elapsed_responder) as resp-max,
avg(elapsed_request) as req-avg, max(elapsed_request) as req-max,
avg(elapsed_wait) as wait-avg, max(elapsed_wait) as wait-max
by host, JURHASH, OP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've given a couple of options below, but I do have a question: what does your populating search look like? I assumed that you were using sistats ...
Option 1 - you could use the lookup command when you retrieve the data from the summary index
index=yoursummaryindex saved_search=yoursavedsearch
| lookup yourlookupname jurhash OUTPUT juhasfriendlyname
| ... whatever you want to get out ...
Option 2 - put the lookup into the populating search (which I called yoursavedsearch in option 1):
sourcetype=vipservices | sistats whateverstats by whateverfields jushasfriendlyname
and then the juhasfriendlyname will be stored, like any other field, in the summary index. You will not need to do the lookup when you retrieve the data from the summary index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
option #1 worked, nice that you can call the lookup on demand. thanks very much!
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
