In Splunk, how do I figure out which lookup .csv file a certain index is using? In other words, how to find which index is using a certain lookup file in Splunk?
Okay, here are some debug steps
First, find the search that is loading the summary index.
Second, run that search independently for a time in the past that has already been added to the summary index, but without the collect` statement.
Third, run a similar search against your summary index, and see if they match.
If not, then we need to identify why your summary index is wrong, and by how much.
Hi DalJeanis,
I have another different question. Not sure how to ask you the question directly , hence asking in the same thread, sorry!
This is the query I am trying to use to pull memory usage %
index=ff sourcetype=metrics_tbl [|inputlookup Domains_Instances_Servers.csv | search Instance_Name="r_prod_" Domain_Name="r_prod_cache_01" OR "r_prod_cache_03” OR "r_prod_cache_05” OR "r_prod_cache_07” LOB="Digi" Domain_Layer="Cacheis” | table Server_Name | rename Server_Name as machine ] earliest=-16m@m latest=-1m@m | bin _time span=15m | eval ServerMem=if(metric_category="OsResource",Memory,0) | eventstats count(eval(metric_category="OsResource")) as OSEvents, sum(ServerCPU) as TotalCPU , sum(ServerMem) as TotalMem by machine, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | eval avgCpu=round(TotalCPU/OSEvents,2) ,avgMem=round(TotalMem/OSEvents,2) | stats values(avgCpu) as "ServerCPU%" , values(avgMem) as "ServerMem%" by machine, _time, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | rename machine as Server, process as Instance, ServerMem% as val_ServerMem% | eval ts_time = _time * 1000 | top limit=1 Server by ts_time, val_ServerMem%, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | table ts_time, Server, LOB, Domain_Layer, Channel, Domain_Name, Instance_Name, val_ServerMem%
In the output/result table values are displayed only for ts_time, Server,val_ServerMem% and remaining all columns(LOB, Domain_Layer, Channel, Domain_Name, Instance_Name) are empty. How can i get values for all these " LOB, Domain_Layer, Channel, Domain_Name, Instance_Name " as well?
Appreciate your help a lot!! I'm desperate, please help!
I'm new to splunk. Could you please provide some example queries which would make more sense to me for all the steps you mentioned? Please!!
more details:-
I have two indices. I am trying to compare them both. When I used 1st index (indexA) I am getting certain result and when I use 2nd (indexB) I am getting another result, but it's supposed to give same result.
What I am trying to do: calculate peak TPS value of my domains and instances using those indices. indexA is not summary index. indexB is summary index. How can i verify what is the difference b/w those indices and why they are showing different TPS values at same selected time range?
Now I am completely lost. How does relate to lookup .csv files?
Forget about lookup files. I might have explained in a wrong way in the first comment/question.
Please take my second comment/question as the main question and please provide me solution.
Tell us more, please. Indices are not using lookup files. Lookup files are used in search queries via the lookup or inputlookup command, or you can have automatic lookups that are tied to a sourcetype and executed when you run a search that includes events for that sourcetype.
I have two indices. I am trying to compare them both. When I used 1st index (indexA) I am getting certain result and when I use 2nd (indexB) I am getting another result, but it's supposed to give same result.
What I am trying to do: calculate peak TPS value of my domains and instances using those indices. indexA is not summary index. indexB is summary index. How can i verify what is the difference b/w those indices and why they are showing different TPS values at same selected time range?