Find size of lookup files in Splunk Web


I needed to list the lookup tables and their sizes using Splunk Web. Here's a query to do just that!

| rest splunk_server=local /services/data/lookup-table-files/
| rename as app 
| table app title 
| search NOT title IN (*.kmz) 
| map maxsearches=990 search="| inputlookup $title$ 
| eval size=0
| foreach * [ eval size=size+coalesce(len('<<FIELD>>'),0), app=\"$app$\", title=$title$ | fields app title size]" 
| stats sum(size) by app title
| sort - sum(size)

The Splunk foreach SPL command is pretty useful for building powerful queries.

Trello provides a powerful platform for managing any project in a Kanban or Scrum methodology.


Here's a macro to remove duplicate fields from a Splunk query result set.

You can use this query to programatically remove empty fields from Splunk results.

A common problem in large-scale Splunk environments is that Splunk forwarders phone home to the deployment server (DS) too frequently. When a forwarder phones home to the DS more often than necessary, it wastes resources on the DS, and can prevent the DS from deploying apps to forwarders correctly.

Bookmarks of frequently used Splunk documentation for admins, consultants, and power users.

To add these bookmarks to Chrome, open the bookmark manager and then click import bookmarks.

To add these bookmarks to Firefox, open the bookmark manager and then click import bookmarks from HTML.


A dashboard to list saved searches and show which searches might be accelerated, scheduled, or real-time scheduled.

The dashboard is available in this GitHub repo.

saved search explorer screenshot


When working with Markdown, you may need to escape formatting characters. For instance, pasting source code into Trello cards requires the text to be escaped or else certain characters will be interpreted as markdown.

When you're working with the stats command, it's often nice to rename the fields to drop the aggregatation type:

| makeresults count=3 
| streamstats count
| eval foo="bar"
| stats latest(foo) as foo latest(count) as count

This gets annoying because of all the extra typing involved, and it violates the DRY principal.

Instead, try this next time:


