Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: injecting indexed file within a search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
injecting indexed file within a search
Hello, I'm still new to SPLUNK and still learning so apologies for any incorrect naming 🙂
I have a search in SPLUNK that runs daily and does some filtering to then lookup an indexed .csv for additional information. The indexed .csv is injected into SPLUNK daily and the files are called: "YYYY-MM-DD Report.csv".
The search is supposed to take that into consideration and look at the latest report based on the date in the subject. It currently looks like this:
| rename Letter as C1111
| table A1111, B1111, C1111
| join type=left C1111
[ search earliest=-24h host="AAA" index="BBB" sourcetype="CCC"
| eval dateFile=strftime(now(), "%Y-%m-%d")
| where like(source,"%".dateFile."%Report.csv")
| rename "Number" as C1111
| eval C1111=lower(C1111)
| fields C1111, "1 xxxx","2 yyyy","3 zzzz"]
| table A1111, B1111, C1111, "1 xxxx","2 yyyy","3 zzzz"This used to work but has stopped a few days back and I'm unable to figure out what the issue might be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are few things which we need to check before we check the search
- Is the file available for each date?
- Is the search produce some result for
index="BBB" host="AAA" sourcetype="CCC" earliest=-24h
| eval dateFile=strftime(now(), "%Y-%m-%d")
| where like(source,"%".dateFile."%Report.csv")
- Does it still has some values in the column C1111?
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I run the search as per your suggestion I get:
Could not load lookup=LOOKUP-splunk_security_essentials.
However I have noticed another issue today. Up until the last couple of days the main search would give me no results, or results that don't make sense because the data would be pulled form a Report.csv which was few days old. I would still see the data properly indexed though, if i did: index="BBB".
When I ran index="BBB" today, I noticed that the Report.csv from the last two days have not been indexed. This has never happened before, and not sure why it would suddenly stop indexing.
I couldn't find any errors in the logs related to the index.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
