topic Re: Disable automatic lookups for a search in Splunk Search

Disable automatic lookups for a search

dewoodruff — Fri, 25 Oct 2019 16:44:48 GMT

I am using a summary index where the events being added to it contain different types of data, and therefore have different kinds and numbers of fields. I want to run a generic search against this summary index for when type=alert and have an email generated containing all the fields for that event.

The problem is others using this search head have defined many different automatic lookups that sometimes match my fields. I do not want the alert email to contain any of the automatic lookup output.

How can I disable all automatic lookups for just this search so my email isn't filled with junk? I found this previous question and understand the on up-voted response, but the question is not actually answered - https://answers.splunk.com/answers/113653/ignore-automatic-lookup-just-for-a-search.html

I contemplated doing "|fields -" but there are over 150 auto lookup fields in some cases... Is there a way to disable lookups for a specific eventtype, in which case I can define one for this summary index?

Thanks in advance.

Re: Disable automatic lookups for a search

to4kawa — Fri, 25 Oct 2019 23:56:03 GMT

How about changing the permission of lookup to limit the users who can use it?

Re: Disable automatic lookups for a search

woodcock — Sat, 26 Oct 2019 02:43:20 GMT

The automatic lookups should be contained within a stanza with a sourcetype in the definition, but clearly yours are not. The problem is not that it is exported globally to all apps, it is that it is defined by some kind of wildcard, which is not the right way to do it. Find the automatic lookup definition and ensure that it is associated with only the specific sourcetype values to which it applies.

Re: Disable automatic lookups for a search

dewoodruff — Tue, 29 Oct 2019 14:54:05 GMT

That's an idea. I don't think our admins would go for that though. Many of the lookups come from TAs.

Re: Disable automatic lookups for a search

dewoodruff — Tue, 29 Oct 2019 15:04:55 GMT

Thanks. Almost all of the lookups come from TAs like the TA for Windows or Identity Management. They're doing things like pulling out any 'user' field regardless of source type and enriching with LDAP information.

Other examples are the built in date_ fields. I don't think those are lookups, are they? Maybe I'm asking with the wrong term.

What I'm really looking for is a search command that will output only the fields that were extracted from the log message itself - no enrichments, no lookups, no built-ins. Does such a thing exist?

Re: Disable automatic lookups for a search

woodcock — Wed, 06 Nov 2019 03:38:21 GMT

The closest that you can probably get is something like this:

Your Search Here | table _time _raw | kv

Re: Disable automatic lookups for a search

woodcock — Wed, 06 Nov 2019 03:38:39 GMT

See my new answer.

Re: Disable automatic lookups for a search

dewoodruff — Wed, 06 Nov 2019 15:41:17 GMT

Perfect, that's exactly what I'm looking for! kv was not in my regular arsenal of commands. Simple and dynamic, thank you.