Hello Sir, Thanks for the video.. i have one doubt.. you created a new lookup to populate the field automatically using rest API ...can we use the rest api to populate the existing lookup?
Hello sir, how do i search in a lookup and also in the events with 1 search string? I have Servers in a lookup but i also want to include the remaining servers in the events. Thank you
from your account preference go to SPL Editor and check search auto format. If you have unformatted search you can press Cntl + | (pipe) to format that.
When you populate the lookup using outputlookup do we need to save it as savedsearch if the lookup needs to be updated regularly ?? Coz in the video you wrote populated the lookup once and it was working ??
Hello Sir, Thank you for easy to follow tutorial. Can you please share your approach to build a solution for a scenario of fetching list of hosts returned by an index but not listed in the lookup table? Thank you
Any pointers on using the time-based lookup with a kvstore? I have checked all the Splunk documentation and tips on Splunk Community, but I cannot get it working!
will you be able to provide me some sample data ....I will try from my system. My email id : techiesid1985@gmail.com docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/DefineaKVStorelookupinSplunkWeb
yes its fine to deploy the app in SHC, generally KV store lookups runs on search head and if you have indexer clustering search head dont replicate the KV store lookups to indexer because of its size. There is a config which you can do it in collection.conf called "replicate=true" which governs whether search head will replicate to indexer or not.
Hi Siddharth, I am unable to do curl on docker instance - I have mapped the port 8089 --> 9002 (Port is open) any idea what could be the issue. If I try to open the page localhost:9002 it doesn't open.
I think there should be a mapping between docker port and splunk port and we need to access splunk using docker port. I am not expert in docker, let me give you a link which may help you, www.splunk.com/en_us/blog/tips-and-tricks/hands-on-lab-sandboxing-with-splunk-with-docker.html
yes we can. let me share you couple of links, have a look, docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/DefineanautomaticlookupinSplunkWeb answers.splunk.com/answers/42786/multivalued-output-field-for-my-automatic-lookup.html
I got an error Error in 'outputlookup' command: The lookup table 'kv_testing' is invalid. But I have the collections.conf and transforms.conf setup properly
Hi siddartha, when i try to run the curl query my cmd send me this message C:\WINDOWS\system32>curl -k -u admin:monitor! localhost:8089/servicesNS/nobody/tmdb/storage/collections/config
you can create a lookup using that csv and the use subsearch to return value to main search. Check this video I created. th-cam.com/video/TiwKp-T56xQ/w-d-xo.html
@@splunk_ml Thanks for replying, I am newbie to Splunk so having trouble finding a solution. So far what I can see from the Collection stat is "splunk_app_windows_infrastructure.tSessions_collection" taking up around 15GB of space. If its normal then I feel its better to move kvstore--> Mongo to another disk/drive.
Hi! Thank you for this amazing video!
Exists another way to build a lookup table from a seach?
Do you have a video to understand the kv store itself?
Hello Sir,
Thanks for the video.. i have one doubt.. you created a new lookup to populate the field automatically using rest API ...can we use the rest api to populate the existing lookup?
Great Video..!!! looking forward for some more such video. One video on how to use Splunk SKDs how can we use it, for what all we can use SDKs
Yes those are in pipeline.
Hi,Thanks for the great video.
What is the size of kv store? will vary w.r.t. environment?
The size of the KV store lookup will depend on how much data you will put in. technically its a mongodb.
Hello sir, how do i search in a lookup and also in the events with 1 search string? I have Servers in a lookup but i also want to include the remaining servers in the events. Thank you
Hi Sid, could you please make a simple video on creating basic lookup,creating lookup file, automatic lookup and lookup editor.
Yep sure
How you are typing commands In next line in search field..what short cut u are using sir?
from your account preference go to SPL Editor and check search auto format. If you have unformatted search you can press Cntl + | (pipe) to format that.
When you populate the lookup using outputlookup do we need to save it as savedsearch if the lookup needs to be updated regularly ?? Coz in the video you wrote populated the lookup once and it was working ??
yes for continious update you need to setup savedsearch.
Hello Sir,
Thank you for easy to follow tutorial.
Can you please share your approach to build a solution for a scenario of fetching list of hosts returned by an index but not listed in the lookup table?
Thank you
Yrobuno
Tstats count where index= value by hosts
Any pointers on using the time-based lookup with a kvstore? I have checked all the Splunk documentation and tips on Splunk Community, but I cannot get it working!
will you be able to provide me some sample data ....I will try from my system. My email id : techiesid1985@gmail.com
docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/DefineaKVStorelookupinSplunkWeb
great video! so if the kv store works for single instance, is it fine for deploying the app in SHC?needs any other config? thx
yes its fine to deploy the app in SHC, generally KV store lookups runs on search head and if you have indexer clustering search head dont replicate the KV store lookups to indexer because of its size. There is a config which you can do it in collection.conf called "replicate=true" which governs whether search head will replicate to indexer or not.
@@splunk_ml ok i will check more about the config on splunk doc, thx thx
Splunk Enterprise Security belongs to kvstore lookup?
Thanks for the great video. I didn't see the video where you created the 'getgenre' custom command, could you point me to it?
Hello Bernard,
Please check the below video,
th-cam.com/video/sJRTIyZZtbM/w-d-xo.html
Sid
Hi Siddharth, I am unable to do curl on docker instance - I have mapped the port 8089 --> 9002 (Port is open) any idea what could be the issue. If I try to open the page localhost:9002 it doesn't open.
I think there should be a mapping between docker port and splunk port and we need to access splunk using docker port. I am not expert in docker, let me give you a link which may help you,
www.splunk.com/en_us/blog/tips-and-tricks/hands-on-lab-sandboxing-with-splunk-with-docker.html
Hi Sid, can we create an automatic lookup for a multivalue field? , like genre_ids{} field in tmdb index.
yes we can. let me share you couple of links, have a look,
docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/DefineanautomaticlookupinSplunkWeb
answers.splunk.com/answers/42786/multivalued-output-field-for-my-automatic-lookup.html
I got an error
Error in 'outputlookup' command: The lookup table 'kv_testing' is invalid. But I have the collections.conf and transforms.conf setup properly
Hello Daniel,
Can you send me the details through email, I mean all the configs you have done. It will be easier for me to assist.
Sid
@@splunk_ml i got it sorted out. I was using the name of the kv on collections.conf where I should have used the transforms name
Cool...👍
Hi siddartha, when i try to run the curl query my cmd send me this message
C:\WINDOWS\system32>curl -k -u admin:monitor! localhost:8089/servicesNS/nobody/tmdb/storage/collections/config
Unauthorized
Can you help me? thx
You need to use your password for the admin uaer
@@splunk_ml Could you write me an example of this command line for my issue? i'm using DOS since very short time. Thank you
Don't we need to add key field in the collections.conf? You only updated the lookup definition.
Nope..._Key is automatically generated.
Hello, great video.
I have a query : I want to input value for a parameter in my search query. The values are in a csv file. How to approach this ?
you can create a lookup using that csv and the use subsearch to return value to main search. Check this video I created.
th-cam.com/video/TiwKp-T56xQ/w-d-xo.html
Hi, I am having issue with Kvstore consuming 40GB of space. Can you please suggest to resolve it.
Can you tell me how you are ingesting data to kv store? Is _raw field is part of the data you are ingesting?
@@splunk_ml Thanks for replying, I am newbie to Splunk so having trouble finding a solution. So far what I can see from the Collection stat is "splunk_app_windows_infrastructure.tSessions_collection" taking up around 15GB of space. If its normal then I feel its better to move kvstore--> Mongo to another disk/drive.
Hey, How do i load the nested json into splunk. It's not recognizing as a single event.
Hi Praneeth,
Can you send me the sample event. I will take a look.
Sid
With the spl query getgenre * no events can you help me regarding that?
can you send me the script you written? I will take a look, techiesid1985@gmail.com
please give each video a unique number in chronoligical order
How do we create collections name in UI?
I think there is no provision to create that from UI currently.