topic At which layer lookup works? in Splunk Search

At which layer lookup works?

rajeev_ku — Mon, 12 Aug 2019 00:18:36 GMT

Hi There,
Could anyone help me understand at which Splunk layer lookup works, I mean at input layer, indexer layer or search layer.

Thanks
Rajeev

Re: At which layer lookup works?

diogofgm — Mon, 12 Aug 2019 00:41:09 GMT

Lookups work in the indexer and/or the search layer depending on how your search is written and on what you are looking up from the lookup

Example:
you have a "hostcategory" lookup that has host, category

if you search: index=your_index | lookup hostcategory host OUTPOUT category | stats count by category
this will use the lookup in the indexer.

on the other hand if you search: index=your_index | stats count by host | lookup hostcategory host OUTPOUT category
this will use the lookup in the search head since its being used after and aggregation function.

More information from docs:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Aboutlookupsandfieldactions

Re: At which layer lookup works?

nareshinsvu — Mon, 12 Aug 2019 01:02:25 GMT

Lookups are created at search layer

https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Aboutlookupsandfieldactions

Note - Maintain and Housekeep lookups on a regular basis. It creates bundles on INDEXER servers with huge amount of space.
Keep an eye on %SPLUNK_HOME%\var\run\searchpeers (on your INDEXER servers) which is a reflection of your lookup volumes (created on SEARCH servers)