Hello Gurus,
I'm trying to generate a lookup from a search using the outputlookup option but running into some issues.
My search returns between 400 & 500 results on the Statistics tab, but my lookup only gets approx 250 - 300 rows max.
Trying to understand why the lookup doesn't get all the rows from the search.
Not sure if is related to my search being reasonably complex - would have thought it would just work on the results.
Any ideas on why this would be happening?
Details of the Search - in case useful:
index=* sourcetype="flo_logs" STATUS=N
| bin span=1d _time
| eval Entity_Action = ActionName
| stats count as FlowLog_ErrorCount by _time index source Entity_Action
| inputlookup append=true FlowLogThresholds
| stats avg(FlowLog_ErrorCount) max(FlowLog_ErrorCount) as FlowLog_MaxErrors count AS NumErrors by index source Entity_Action
| eval AvgFlowErrorCountMax50=if('avg(FlowLog_ErrorCount)'>50,50,'avg(FlowLog_ErrorCount)')
| eval AvgFlowErrorCountMax50=if(NumErrors<3,0,AvgFlowErrorCountMax50)
| eval FlowLog_ErrorTH=ceil(AvgFlowErrorCountMax50)
| eval FlowLog_ErrorCount=0
| lookup FlowLogThresholds index source Entity_Action output FlowLog_ErrorTH_DayTmp FlowLog_ErrorTH_OR IntLog_ErrorCount IntLog_MaxErrors IntLog_ErrorTH IntLog_ErrorTH_DayTmp IntLog_ErrorTH_OR
| eval FlowLog_MaxErrors=if(isnull(FlowLog_MaxErrors),0,FlowLog_MaxErrors)
| eval FlowLog_ErrorTH=if(isnull(FlowLog_ErrorTH),0,FlowLog_ErrorTH)
| eval FlowLog_ErrorTH_DayTmp=0
| eval FlowLog_ErrorTH_OR=if(isnull(FlowLog_ErrorTH_OR),0,FlowLog_ErrorTH_OR)
| eval IntLog_ErrorCount=if(isnull(IntLog_ErrorCount),0,IntLog_ErrorCount)
| eval IntLog_MaxErrors=if(isnull(IntLog_MaxErrors),0,IntLog_MaxErrors)
| eval IntLog_ErrorTH=if(isnull(IntLog_ErrorTH),0,IntLog_ErrorTH)
| eval IntLog_ErrorTH_DayTmp=0
| eval IntLog_ErrorTH_OR=if(isnull(IntLog_ErrorTH_OR),0,IntLog_ErrorTH_OR)
| table index source Entity_Action FlowLog_ErrorCount FlowLog_MaxErrors FlowLog_ErrorTH FlowLog_ErrorTH_DayTmp FlowLog_ErrorTH_OR IntLog_ErrorCount IntLog_MaxErrors IntLog_ErrorTH IntLog_ErrorTH_DayTmp IntLog_ErrorTH_OR
UPDATE:
I have raised this as an issue with Splunk support. Ticket has been escalated within Splunk so I'm assuming there must be an issue somewhere as to why this is not working as expected.
Will post outcome of that ticket once resolved.
Thanks to those that looked at this for me.
After spending some time with Splunk Support, turns out that my issue was more a limitation of Chrome rather than a Splunk issue.
For some reason, Chrome is not allowing full scrolling of the rows within my table - not sure why this is as it works perfectly well in Firefox.
One issue that I was having was that because the number of columns was wider than my open window, it was creating a second up/down scroll bar which was not obviously visible, but now even with the window at full screen and no secondary scroll bar, I'm still not able to scroll all the way to the bottom of my table.
Not sure if this is something that needs to be fixed in Chrome or if the Lookup Editor can somehow be updated to resolve these issues - I suspect it would need to be the former. Until then - Firefox has me sorted.
Thanks to those that looked at this for me.
After spending some time with Splunk Support, turns out that my issue was more a limitation of Chrome rather than a Splunk issue.
For some reason, Chrome is not allowing full scrolling of the rows within my table - not sure why this is as it works perfectly well in Firefox.
One issue that I was having was that because the number of columns was wider than my open window, it was creating a second up/down scroll bar which was not obviously visible, but now even with the window at full screen and no secondary scroll bar, I'm still not able to scroll all the way to the bottom of my table.
Not sure if this is something that needs to be fixed in Chrome or if the Lookup Editor can somehow be updated to resolve these issues - I suspect it would need to be the former. Until then - Firefox has me sorted.
That is hilarious! Do click Accept
on your answer to close it out.
Where is your outputlookup
?
Arh - yes, I'm actually running this as a scheduled search using the output to lookup option.
But I also tested manually adding
| outputlookup FlowLogThresholds.csv
On the end
Let us know what you figure out with support. It definitely should work as-is.