Splunk Search

outputlookup limitiations??

MKozanic
Path Finder

Hello Gurus,

I'm trying to generate a lookup from a search using the outputlookup option but running into some issues.

My search returns between 400 & 500 results on the Statistics tab, but my lookup only gets approx 250 - 300 rows max.

Trying to understand why the lookup doesn't get all the rows from the search.

Not sure if is related to my search being reasonably complex - would have thought it would just work on the results.

Any ideas on why this would be happening?

Details of the Search - in case useful:

index=* sourcetype="flo_logs" STATUS=N
| bin span=1d _time
| eval Entity_Action = ActionName
| stats count as FlowLog_ErrorCount by _time index source Entity_Action
| inputlookup append=true FlowLogThresholds
| stats avg(FlowLog_ErrorCount) max(FlowLog_ErrorCount) as FlowLog_MaxErrors count AS NumErrors by index source Entity_Action
| eval AvgFlowErrorCountMax50=if('avg(FlowLog_ErrorCount)'>50,50,'avg(FlowLog_ErrorCount)')
| eval AvgFlowErrorCountMax50=if(NumErrors<3,0,AvgFlowErrorCountMax50)
| eval FlowLog_ErrorTH=ceil(AvgFlowErrorCountMax50)
| eval FlowLog_ErrorCount=0
| lookup FlowLogThresholds index source Entity_Action output FlowLog_ErrorTH_DayTmp FlowLog_ErrorTH_OR IntLog_ErrorCount IntLog_MaxErrors IntLog_ErrorTH IntLog_ErrorTH_DayTmp IntLog_ErrorTH_OR
| eval FlowLog_MaxErrors=if(isnull(FlowLog_MaxErrors),0,FlowLog_MaxErrors)
| eval FlowLog_ErrorTH=if(isnull(FlowLog_ErrorTH),0,FlowLog_ErrorTH)
| eval FlowLog_ErrorTH_DayTmp=0
| eval FlowLog_ErrorTH_OR=if(isnull(FlowLog_ErrorTH_OR),0,FlowLog_ErrorTH_OR)
| eval IntLog_ErrorCount=if(isnull(IntLog_ErrorCount),0,IntLog_ErrorCount)
| eval IntLog_MaxErrors=if(isnull(IntLog_MaxErrors),0,IntLog_MaxErrors)
| eval IntLog_ErrorTH=if(isnull(IntLog_ErrorTH),0,IntLog_ErrorTH)
| eval IntLog_ErrorTH_DayTmp=0
| eval IntLog_ErrorTH_OR=if(isnull(IntLog_ErrorTH_OR),0,IntLog_ErrorTH_OR)
| table index source Entity_Action FlowLog_ErrorCount FlowLog_MaxErrors FlowLog_ErrorTH FlowLog_ErrorTH_DayTmp FlowLog_ErrorTH_OR IntLog_ErrorCount IntLog_MaxErrors IntLog_ErrorTH IntLog_ErrorTH_DayTmp IntLog_ErrorTH_OR

UPDATE:
I have raised this as an issue with Splunk support. Ticket has been escalated within Splunk so I'm assuming there must be an issue somewhere as to why this is not working as expected.

Will post outcome of that ticket once resolved.

0 Karma
1 Solution

MKozanic
Path Finder

Thanks to those that looked at this for me.

After spending some time with Splunk Support, turns out that my issue was more a limitation of Chrome rather than a Splunk issue.

For some reason, Chrome is not allowing full scrolling of the rows within my table - not sure why this is as it works perfectly well in Firefox.

One issue that I was having was that because the number of columns was wider than my open window, it was creating a second up/down scroll bar which was not obviously visible, but now even with the window at full screen and no secondary scroll bar, I'm still not able to scroll all the way to the bottom of my table.

Not sure if this is something that needs to be fixed in Chrome or if the Lookup Editor can somehow be updated to resolve these issues - I suspect it would need to be the former. Until then - Firefox has me sorted.

View solution in original post

MKozanic
Path Finder

Thanks to those that looked at this for me.

After spending some time with Splunk Support, turns out that my issue was more a limitation of Chrome rather than a Splunk issue.

For some reason, Chrome is not allowing full scrolling of the rows within my table - not sure why this is as it works perfectly well in Firefox.

One issue that I was having was that because the number of columns was wider than my open window, it was creating a second up/down scroll bar which was not obviously visible, but now even with the window at full screen and no secondary scroll bar, I'm still not able to scroll all the way to the bottom of my table.

Not sure if this is something that needs to be fixed in Chrome or if the Lookup Editor can somehow be updated to resolve these issues - I suspect it would need to be the former. Until then - Firefox has me sorted.

woodcock
Esteemed Legend

That is hilarious! Do click Accept on your answer to close it out.

0 Karma

woodcock
Esteemed Legend

Where is your outputlookup?

0 Karma

MKozanic
Path Finder

Arh - yes, I'm actually running this as a scheduled search using the output to lookup option.

But I also tested manually adding

| outputlookup FlowLogThresholds.csv

On the end

0 Karma

woodcock
Esteemed Legend

Let us know what you figure out with support. It definitely should work as-is.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...