Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

injecting indexed file within a search

Orange_girl
Loves-to-Learn Everything
‎05-14-2024 06:38 AM

Hello, I'm still new to SPLUNK and still learning so apologies for any incorrect naming  🙂

I have a search in SPLUNK that runs daily and does some filtering to then lookup an indexed .csv for additional information. The indexed .csv is injected into SPLUNK daily and the files are called: "YYYY-MM-DD Report.csv". 

The search is supposed to take that into consideration and look at the latest report based on the date in the subject. It currently looks like this:

| rename Letter as C1111
| table A1111, B1111, C1111
| join type=left C1111
[ search earliest=-24h host="AAA" index="BBB" sourcetype="CCC"
| eval dateFile=strftime(now(), "%Y-%m-%d")
| where like(source,"%".dateFile."%Report.csv")
| rename "Number" as C1111
| eval C1111=lower(C1111)
| fields C1111, "1 xxxx","2 yyyy","3 zzzz"]
| table A1111, B1111, C1111, "1 xxxx","2 yyyy","3 zzzz"

This used to work but has stopped a few days back and I'm unable to figure out what the issue might be. 

Labels (1)
Labels
0 Karma
Reply

renjith_nair
Legend
‎05-16-2024 04:51 AM

There are few things which we need to check before we check the search

  • Is the file available for each date?
  • Is the search produce some result for

 

index="BBB" host="AAA"  sourcetype="CCC" earliest=-24h 
| eval dateFile=strftime(now(), "%Y-%m-%d")
| where like(source,"%".dateFile."%Report.csv")

 

  • Does it still has some values in the column C1111?
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

Orange_girl
Loves-to-Learn Everything
‎05-28-2024 01:43 AM

When I run the search as per your suggestion I get: 

Could not load lookup=LOOKUP-splunk_security_essentials.

However I have noticed another issue today. Up until the last couple of days the main search would give me no results, or results that don't make sense because the data would be pulled form a Report.csv which was few days old. I would still see the data properly indexed though, if i did: index="BBB".

When I ran index="BBB" today, I noticed that the Report.csv from the last two days have not been indexed. This has never happened before, and not sure why it would suddenly stop indexing. 

 I couldn't find any errors in the logs related to the index. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...