Splunk Search

How to figure out which lookup .csv file a certain index is using?

chow11
New Member

In Splunk, how do I figure out which lookup .csv file a certain index is using? In other words, how to find which index is using a certain lookup file in Splunk?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, here are some debug steps

First, find the search that is loading the summary index.

Second, run that search independently for a time in the past that has already been added to the summary index, but without the collect` statement.

Third, run a similar search against your summary index, and see if they match.

If not, then we need to identify why your summary index is wrong, and by how much.

0 Karma

chow11
New Member

Hi DalJeanis,
I have another different question. Not sure how to ask you the question directly , hence asking in the same thread, sorry!

This is the query I am trying to use to pull memory usage %

index=ff sourcetype=metrics_tbl [|inputlookup Domains_Instances_Servers.csv | search Instance_Name="r_prod_" Domain_Name="r_prod_cache_01" OR "r_prod_cache_03” OR "r_prod_cache_05” OR "r_prod_cache_07” LOB="Digi" Domain_Layer="Cacheis” | table Server_Name | rename Server_Name as machine ] earliest=-16m@m latest=-1m@m | bin _time span=15m | eval ServerMem=if(metric_category="OsResource",Memory,0) | eventstats count(eval(metric_category="OsResource")) as OSEvents, sum(ServerCPU) as TotalCPU , sum(ServerMem) as TotalMem by machine, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | eval avgCpu=round(TotalCPU/OSEvents,2) ,avgMem=round(TotalMem/OSEvents,2) | stats values(avgCpu) as "ServerCPU%" , values(avgMem) as "ServerMem%" by machine, _time, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | rename machine as Server, process as Instance, ServerMem% as val_ServerMem% | eval ts_time = _time * 1000 | top limit=1 Server by ts_time, val_ServerMem%, LOB, Domain_Layer, Domain_Name, Instance_Name, Channel | table ts_time, Server, LOB, Domain_Layer, Channel, Domain_Name, Instance_Name, val_ServerMem%

In the output/result table values are displayed only for ts_time, Server,val_ServerMem% and remaining all columns(LOB, Domain_Layer, Channel, Domain_Name, Instance_Name) are empty. How can i get values for all these " LOB, Domain_Layer, Channel, Domain_Name, Instance_Name " as well?

Appreciate your help a lot!! I'm desperate, please help!

0 Karma

chow11
New Member

I'm new to splunk. Could you please provide some example queries which would make more sense to me for all the steps you mentioned? Please!!

0 Karma

chow11
New Member

more details:-

I have two indices. I am trying to compare them both. When I used 1st index (indexA) I am getting certain result and when I use 2nd (indexB) I am getting another result, but it's supposed to give same result.
What I am trying to do: calculate peak TPS value of my domains and instances using those indices. indexA is not summary index. indexB is summary index. How can i verify what is the difference b/w those indices and why they are showing different TPS values at same selected time range?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Now I am completely lost. How does relate to lookup .csv files?

0 Karma

chow11
New Member

Forget about lookup files. I might have explained in a wrong way in the first comment/question.
Please take my second comment/question as the main question and please provide me solution.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Tell us more, please. Indices are not using lookup files. Lookup files are used in search queries via the lookup or inputlookup command, or you can have automatic lookups that are tied to a sourcetype and executed when you run a search that includes events for that sourcetype.

0 Karma

chow11
New Member

I have two indices. I am trying to compare them both. When I used 1st index (indexA) I am getting certain result and when I use 2nd (indexB) I am getting another result, but it's supposed to give same result.
What I am trying to do: calculate peak TPS value of my domains and instances using those indices. indexA is not summary index. indexB is summary index. How can i verify what is the difference b/w those indices and why they are showing different TPS values at same selected time range?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...