Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

injecting indexed file within a search

Orange_girl
Loves-to-Learn Everything
‎05-14-2024 06:38 AM

Hello, I'm still new to SPLUNK and still learning so apologies for any incorrect naming  🙂

I have a search in SPLUNK that runs daily and does some filtering to then lookup an indexed .csv for additional information. The indexed .csv is injected into SPLUNK daily and the files are called: "YYYY-MM-DD Report.csv". 

The search is supposed to take that into consideration and look at the latest report based on the date in the subject. It currently looks like this:

| rename Letter as C1111
| table A1111, B1111, C1111
| join type=left C1111
[ search earliest=-24h host="AAA" index="BBB" sourcetype="CCC"
| eval dateFile=strftime(now(), "%Y-%m-%d")
| where like(source,"%".dateFile."%Report.csv")
| rename "Number" as C1111
| eval C1111=lower(C1111)
| fields C1111, "1 xxxx","2 yyyy","3 zzzz"]
| table A1111, B1111, C1111, "1 xxxx","2 yyyy","3 zzzz"

This used to work but has stopped a few days back and I'm unable to figure out what the issue might be. 

Labels (1)
Labels
0 Karma
Reply

renjith_nair
Legend
‎05-16-2024 04:51 AM

There are few things which we need to check before we check the search

  • Is the file available for each date?
  • Is the search produce some result for

 

index="BBB" host="AAA"  sourcetype="CCC" earliest=-24h 
| eval dateFile=strftime(now(), "%Y-%m-%d")
| where like(source,"%".dateFile."%Report.csv")

 

  • Does it still has some values in the column C1111?
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

Orange_girl
Loves-to-Learn Everything
‎05-28-2024 01:43 AM

When I run the search as per your suggestion I get: 

Could not load lookup=LOOKUP-splunk_security_essentials.

However I have noticed another issue today. Up until the last couple of days the main search would give me no results, or results that don't make sense because the data would be pulled form a Report.csv which was few days old. I would still see the data properly indexed though, if i did: index="BBB".

When I ran index="BBB" today, I noticed that the Report.csv from the last two days have not been indexed. This has never happened before, and not sure why it would suddenly stop indexing. 

 I couldn't find any errors in the logs related to the index. 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...