Splunk Search
Highlighted

outputlookup timechart followed by inputlookup timechart

Motivator

Let's say that I do an outputlookup after a timechart command. Now I have a csv file that should be formatted for the timechart command. I want to inputlookup that csv and timechart it. How do I do that?

My outputlookup timechart looks like this:

mysearch | timechart useother=f limit=0 count by host | outputlookup count_host.csv

My inputlookup timechart looks like this:

| inputlookup count_host.csv | timechart userother=f limit=0 sum(count) by host ?
0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

Motivator

I'm assuming you want to do this to make it more efficient... why don't you simply use acceleration on a saved search version of the mysearch | timechart ... ?

0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

SplunkTrust
SplunkTrust

What you suggest seems equivalent to

mysearch | timechart useother=f limit=0 count by host | timechart useother=f limit=0 count by host

which I wouldn't expect to work.

What exactly are you trying to accomplish?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

Motivator

The goal is to quickly pull a timechart to a dashboard panel as a timechart.

0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

Motivator

Trying to use search acceleration but it is doing nothing.

Summary ID Normalized Summary ID Reports Using Summary Summarization Load Access Count Summary Status


reportiisevents_user
0.0000 0 Last Access: Never Summarization not started Updated: Never


reportiisevents_host
0.0000 0 Last Access: Never Summarization not started Updated: Never

My guess is that the data to be summarized simply isn't large enough to kick off the acceleration process.

0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

Splunk Employee
Splunk Employee

I'm going to answer your question, but as others say if you're simply trying to "speed up" this search then use the following:

  • Scheduled saved search (loading the saved search will reference the cached results from the last run)
  • Report acceleration
  • Data model acceleration
  • Summary indexing

Anyway the answer is

| inputlookup count_host.csv | timechart values(*) as *
0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

Motivator

Your answer is not correct. Splunk returns the following error:

Error in 'timechart' command: Wildcard field '*' cannot be used in xyseries command for xfield or yfield.
  • There seems to be an issue with loading the saved search. It may stop re-running the search after the saved search runs for the first time as a saved search, though.
  • Report acceleration is not kicking off.
  • Datamodel acceleration has not been explored and may be a solution.
  • Summary indexing will of course work, but since it is most naturally suited to searching back in time, it has not yet been determined as the best approach to this use case.
0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

Splunk Employee
Splunk Employee

Please expand mysearch then since you just now specified that you were using | xyseries. I was simply using index=_internal for my base search. I don't understand what's wrong with the saved search. Are you saying it's not running on a schedule? You tried loading it via | loadjob or | savedsearch?

0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

Motivator

I am not using xyseries. I am using timechart.

I don't understand what you mean by "expand mysearch". The dashboard panel that generated the error is:

| inputlookup iis_count_host.csv | timechart values(*) by *

The saved search is scheduled, but the first scheduled time is tonight at midnight.

I have not tried using loadjob or savedsearch with the saved search. Those may be good options ... but then I realized that if those work straight out of the box, then so would | inputlookup so I just now changed the dashboard panel to:

| inputlookup iis_count_host.csv

and it worked! sort of. One of the hosts was grabbed for the time on the x-axis and the time was graphed on the y-axis.

| inputlookup iis_count_host.csv | table _time SRV*

Seems to correct this with the benefit that my servers start with SRV (not applicable in other use cases), but the numbers are low (about 1/5) and the lines do not match the original timechart. Not sure what is going on there.

0 Karma
Highlighted

Re: outputlookup timechart followed by inputlookup timechart

Splunk Employee
Splunk Employee

Try | loadjob savedsearch=admin:search:foo where admin is your user, search is the app, and foo is the name of the saved search. Then | loadjob will instantly show the result of the last saved search's run (assuming you scheduled it).

0 Karma