Taking it one step further, I made a global macro: [outputlookup_if_data(1)] args = lookup_file definition = eval upx_type="new" | append [ |inputlookup $lookup_file$ | eval u px_type="old"] | eventstats count(eval(upx_type="new")) as upx_hasData | eval u px_filter=if(upx_hasData>0,"new","old") | where upx_type=upx_filter | fields - upx_type upx_hasData upx_filter | outputlookup $lookup_file$ ... View more

For the append, I think you mean "inputlookup". I know what you mean and this works well for that case. -Thanks ... View more

I'm running many scheduled searches. In SQL, there is the "on error" capability that let's you avoid taking further action if something broke before. Many of our searches do something like the following: |dbxquery connection=xxx query="select * from tablex" |massage the data |outputlookup tablex_fast_lookup If the SQL command dies due to a SQL issue, then we end up writing an empty lookup file. Once the lookup file is empty, dozens of other things break. I suppose I could convert it to a kv-store and merge data to the lookup with a last update timestamp. Then we could purge older data based on the timestamp. I figured that if I could abort the command, then the lookup file would have stale data, but it would not be empty. ... View more

I'd rather not do it with a map, because some of my finishing commands already leverage map. For the "Accept" how would you do it with a subsearch? ... View more

I wonder when Splunk will provide some real relief for this issue. We have many apps that require large lookups for accelerated data models and other indexer-level search functionality. There are many applications in the search head cluster that is connected to multiple indexer clusters that are developed and maintained by many different groups. Bundle replication issues are the bane of my existence!!!! ... View more

I should have clarified. I am talking about the export to file option on the main search interface. This allows the end user to export directly to their desktop. I suppose exporting to a lookup file would allow this by giving the users access to the Lookup Editor, but that could also increase our search bundle and cause issues with distributed search bundle replication. There is a maxresultrows=nnn in limits.conf, but the documentation explicitly says not to set this higher than 50000. My question is Why? And if there is a technical reason, then is there an app that would run the search in the REST API and then let the user download the result >100000000 rows and/or >100GB, etc... ... View more

Thanks Daniel, We can post any generic resolutions when we are finished. ... View more

Thanks for the detailed analysis. Unfortunately, we use very large lookup files referenced by accelerated datamodels. By the very nature of accelerated datamodels, these lookups have to take place on the indexers. Other types of lookups are either too slow or get replicated in the same way. We are just below the point that breaks the bundle replication, but would love an intermediate solution. ... View more

Thanks for calling me out. I now see that I assumed the Splunk_SA_CIM app to be installed. I was also trying to get the client_ip in cases where it was missing. I agree that @masonmorales gave a more comprehensive answer, but I was attempting to capture more of the clientip values. Tweaking the search from masonmorales results in more logins and additional clientip values: index=_audit sourcetype=audittrail user=\* action=log\* | rename info as status | replace succeeded with success in status | replace failed with failure in status | replace "login attempt" with login in action | stats count by user action status _time | append [search index=_internal sourcetype=splunk_web_service user=\* action=log\* | stats count by user action status _time] | join type=OUTER user [search index=_internal (component=UiAuth OR sourcetype=splunk_web_service) user=\* clientip=\* | stats first(clientip) as clientip by user] | table _time user host clientip action status count ... View more

same idea, but for people with hyphens or other special characters in the name you could try: [^=]+ in place of [\w\s]+ ... View more

This isn't using a rest call, but how about the datamodel command: |datamodel |spath output=modelName path=modelName |spath output=foo path=objects{} |mvexpand foo |spath input=foo output=objectName path=objectName |spath input=foo output=foo path=fields{} |mvexpand foo |spath input=foo output=fieldName path=fieldName |spath input=foo output=type path=type |table modelName,objectName,fieldName,type ... View more

I specifically create new base roles to inherit from. For example, I create a base_user with no data access and some basic search capabilities. I also create a base_dev role with additional capabilities for editing dashboards and scheduling searches. My goal is to lock down access to "least required" by each team to meet audit guidelines. I am not seeing any inherited features of user or power in my other roles. Are there any hidden attributes that are inherited from user or power? ... View more

It sounds like you need to open a case. Did you run a real-time (All time) search to see if events are coming in, but with a delay? We has a problem with delay and had to turn off AD name resolution with: [WinEventLog:Security] evt_resolve_ad_obj = 0 ... View more

Why not use a scripted input: http://docs.splunk.com/Documentation/Splunk/6.2.4/AdvancedDev/ScriptedInputsIntro You can have it run at an interval and write to a file that is read by Splunk. ... View more

We also saw this with a Splunk 6.2.3 search head. It only happened once so far, and the person didn't see it again after a browser restart. ... View more

You can also get the words as a multi-valued result and separate them as needed with mvexpand |rex field=_raw "Request (?<aid>\d+)\-(?<words>\S+)" |makemv delim="-" words |mvexpand words ... View more

I missed it. Could you document the answer for everyone else? Also, what version of Splunk are you using? ... View more

Did you test your answer on Splunk 6.2+ in a distributed environment? I think the answer varies by version. ... View more