topic Re: Are there any use cases that justify the over-head of automatic lookups? in Splunk Search

Are there any use cases that justify the over-head of automatic lookups?

ddrillic — Mon, 22 Apr 2019 14:42:31 GMT

Our team discourages all users from using automatic lookups due to the over-head incurred in each search query.

Are there any best practices around it?

Re: Are there any use cases that justify the over-head of automatic lookups?

grittonc — Mon, 22 Apr 2019 17:37:02 GMT

@SloshBurch this sounds like a job for the best practices tag.

Re: Are there any use cases that justify the over-head of automatic lookups?

sloshburch — Fri, 07 Jun 2019 13:10:36 GMT

Thanks @grittonc!

I've added the best-practices tag and will review this when we start work on lookups (no ETA). Thanks again!

Re: Are there any use cases that justify the over-head of automatic lookups?

marycordova — Wed, 10 Jul 2019 23:33:19 GMT

I would say that lookups that translate things into human, for example protocol numbers like 6 and 17 are TCP and UDP would be a good candidates. In this specific case the data set is limited, and, instead of doing all ~150 in a lookup you could do like the top 10 or 20 and even just put those into a regular .props "case" statement instead of a lookup.

One of the other main usecases I've used is user enrichment, where you have log events with users and everytime you want to investigate something you always need to know who is this user, what department are they in, what is their SAM acct, their phone, their email, the last time their password was changed, etc.