Databases Reference
In-Depth Information
Troubleshooting lookups
If you are having problems with a lookup, very often the problem is with
permissions. Check permissions at all three of these paths:
•
Manager
|
Lookups
|
Lookup table files
•
Manager
|
Lookups
|
Lookup definitions
•
Manager
|
Lookups
|
Automatic lookups
Once permissions are squared away, be sure to keep the following points in mind:
• Check your spelling of the fields.
• By default, lookup values are case sensitive.
• If your installation is using multiple indexers, it may take some time for the
lookup files and definitions to be distributed to your indexers, particularly
if the lookup files are large or you have installed many apps that have assets
to be distributed.
• A rule of thumb is that a lookup file should not have more than two million
rows. If a lookup is too large, an external lookup script may be required.
Using macros to reuse logic
A
macro
serves the purpose of replacing bits of search language with expanded
phrases. Using macros can help you reuse logic and greatly reduce the length
of queries.
Let's use one of our examples from
Chapter 5
,
Advanced Search Examples
, as our
example case:
sourcetype="impl_splunk_web" user=mary
| transaction maxpause=5m user
| stats avg(duration) avg(eventcount)
Search WWH ::
Custom Search