Splunk Lookups : Lookups fundamentals & detail discussion on KV Store Lookups

Рет қаралды 44,945

Күн бұрын

Пікірлер: 56

@rajivaws6975 2 жыл бұрын

Hello Sir, Thanks for the video.. i have one doubt.. you created a new lookup to populate the field automatically using rest API ...can we use the rest api to populate the existing lookup?

@BrayanRodriguez-mw7iw Жыл бұрын

Do you have a video to understand the kv store itself?

@venky_1544 3 жыл бұрын

When you populate the lookup using outputlookup do we need to save it as savedsearch if the lookup needs to be updated regularly ?? Coz in the video you wrote populated the lookup once and it was working ??

@splunk_ml 3 жыл бұрын

yes for continious update you need to setup savedsearch.

@jabdan 4 жыл бұрын

Hi,Thanks for the great video. What is the size of kv store? will vary w.r.t. environment?

@splunk_ml 4 жыл бұрын

The size of the KV store lookup will depend on how much data you will put in. technically its a mongodb.

@JessicaFerreira-cy1hw 3 жыл бұрын

Hi! Thank you for this amazing video! Exists another way to build a lookup table from a seach?

@jytan740 2 жыл бұрын

Splunk Enterprise Security belongs to kvstore lookup?

@ravidoddy3308 5 жыл бұрын

Great Video..!!! looking forward for some more such video. One video on how to use Splunk SKDs how can we use it, for what all we can use SDKs

@splunk_ml 5 жыл бұрын

Yes those are in pipeline.

@GizmoBurn 3 жыл бұрын

Any pointers on using the time-based lookup with a kvstore? I have checked all the Splunk documentation and tips on Splunk Community, but I cannot get it working!

@splunk_ml 3 жыл бұрын

will you be able to provide me some sample data ....I will try from my system. My email id : techiesid1985@gmail.com docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/DefineaKVStorelookupinSplunkWeb

@SantoshKumar-bm2iz 3 жыл бұрын

How you are typing commands In next line in search field..what short cut u are using sir?

@splunk_ml 3 жыл бұрын

from your account preference go to SPL Editor and check search auto format. If you have unformatted search you can press Cntl + | (pipe) to format that.

@hasankaracayir9015 2 жыл бұрын

Hello sir, how do i search in a lookup and also in the events with 1 search string? I have Servers in a lookup but i also want to include the remaining servers in the events. Thank you

@santhoshig7784 4 жыл бұрын

Hi Sid, could you please make a simple video on creating basic lookup,creating lookup file, automatic lookup and lookup editor.

@splunk_ml 4 жыл бұрын

Yep sure

@willluo7244 5 жыл бұрын

great video! so if the kv store works for single instance, is it fine for deploying the app in SHC？needs any other config？ thx

@splunk_ml 5 жыл бұрын

yes its fine to deploy the app in SHC, generally KV store lookups runs on search head and if you have indexer clustering search head dont replicate the KV store lookups to indexer because of its size. There is a config which you can do it in collection.conf called "replicate=true" which governs whether search head will replicate to indexer or not.

@willluo7244 5 жыл бұрын

@@splunk_ml ok i will check more about the config on splunk doc, thx thx

@taruchitgoyal3735 2 жыл бұрын

Hello Sir, Thank you for easy to follow tutorial. Can you please share your approach to build a solution for a scenario of fetching list of hosts returned by an index but not listed in the lookup table? Thank you

@ximoximos3216 2 жыл бұрын

Yrobuno

@nishanthgaddam8426 Жыл бұрын

Tstats count where index= value by hosts

@nishadt 4 жыл бұрын

Hi Siddharth, I am unable to do curl on docker instance - I have mapped the port 8089 --> 9002 (Port is open) any idea what could be the issue. If I try to open the page localhost:9002 it doesn't open.

@splunk_ml 4 жыл бұрын

I think there should be a mapping between docker port and splunk port and we need to access splunk using docker port. I am not expert in docker, let me give you a link which may help you, www.splunk.com/en_us/blog/tips-and-tricks/hands-on-lab-sandboxing-with-splunk-with-docker.html

@saby826 4 жыл бұрын

With the spl query getgenre * no events can you help me regarding that?

@splunk_ml 4 жыл бұрын

can you send me the script you written? I will take a look, techiesid1985@gmail.com

@GizmoBurn 4 жыл бұрын

Thanks for the great video. I didn't see the video where you created the 'getgenre' custom command, could you point me to it?

@splunk_ml 4 жыл бұрын

Hello Bernard, Please check the below video, kzbin.info/www/bejne/qXu1hXyvj7-nmK8 Sid

@santhoshig7784 4 жыл бұрын

Hi Sid, can we create an automatic lookup for a multivalue field? , like genre_ids{} field in tmdb index.

@splunk_ml 4 жыл бұрын

yes we can. let me share you couple of links, have a look, docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/DefineanautomaticlookupinSplunkWeb answers.splunk.com/answers/42786/multivalued-output-field-for-my-automatic-lookup.html

@praneethnagu1952 5 жыл бұрын

Hey, How do i load the nested json into splunk. It's not recognizing as a single event.

@splunk_ml 5 жыл бұрын

Hi Praneeth, Can you send me the sample event. I will take a look. Sid

@creativex9983 4 жыл бұрын

Don't we need to add key field in the collections.conf? You only updated the lookup definition.

@splunk_ml 4 жыл бұрын

Nope..._Key is automatically generated.

@federicostefanutti2602 3 жыл бұрын

Hi siddartha, when i try to run the curl query my cmd send me this message C:\WINDOWS\system32>curl -k -u admin:monitor! localhost:8089/servicesNS/nobody/tmdb/storage/collections/config Unauthorized Can you help me? thx

@splunk_ml 3 жыл бұрын

You need to use your password for the admin uaer

@federicostefanutti2602 3 жыл бұрын

@@splunk_ml Could you write me an example of this command line for my issue? i'm using DOS since very short time. Thank you

@sanjeev.poddar 5 жыл бұрын

Hi, I am having issue with Kvstore consuming 40GB of space. Can you please suggest to resolve it.

@splunk_ml 5 жыл бұрын

Can you tell me how you are ingesting data to kv store? Is _raw field is part of the data you are ingesting?

@sanjeev.poddar 5 жыл бұрын

@@splunk_ml Thanks for replying, I am newbie to Splunk so having trouble finding a solution. So far what I can see from the Collection stat is "splunk_app_windows_infrastructure.tSessions_collection" taking up around 15GB of space. If its normal then I feel its better to move kvstore--> Mongo to another disk/drive.

@grainfrizz 5 жыл бұрын

I got an error Error in 'outputlookup' command: The lookup table 'kv_testing' is invalid. But I have the collections.conf and transforms.conf setup properly

@splunk_ml 5 жыл бұрын

Hello Daniel, Can you send me the details through email, I mean all the configs you have done. It will be easier for me to assist. Sid

@grainfrizz 5 жыл бұрын

@@splunk_ml i got it sorted out. I was using the name of the kv on collections.conf where I should have used the transforms name

@splunk_ml 5 жыл бұрын

Cool...👍

@grainfrizz 4 жыл бұрын

How do we create collections name in UI?

@splunk_ml 4 жыл бұрын

I think there is no provision to create that from UI currently.

@supreethmurugesh3230 4 жыл бұрын

Hello, great video. I have a query : I want to input value for a parameter in my search query. The values are in a csv file. How to approach this ?

@splunk_ml 4 жыл бұрын

you can create a lookup using that csv and the use subsearch to return value to main search. Check this video I created. kzbin.info/www/bejne/iprafKNjiZpprrM