topic Re: Can anyone explain what does these lookup statements mean ? in Splunk Search

Can anyone explain what does these lookup statements mean ?

zacksoft_wf — Tue, 01 Mar 2022 10:38:19 GMT

| lookup update=true SpamIntel_by_email_subject subject OUTPUT
| lookup update=true SpamIntel_by_email_subject_wildcard subject OUTPUTNEW

What is update=true ?
What field it is comparing to update what ?
Whats the difference between between Output and Outputnew

I didn't understand from the splunk's documentation well.

Re: Can anyone explain what does these lookup statements mean ?

gcusello — Tue, 01 Mar 2022 10:48:04 GMT

Hi @zacksoft_wf,

as you can see at https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Lookup

About the first question: update=True

If the lookup table is modified on disk while the search is running, real-time searches do not automatically reflect the update.

To do this, specify update=true.

This does not apply to searches that are not real-time searches.

This implies that local=true.

Default: false

About the second question: difference between OUTPUT and OUTPUTNEW

When using the lookup command, if an OUTPUT or OUTPUTNEW clause is not specified, all of the fields in the lookup table that are not the match fields are used as output fields.

If the OUTPUT clause is specified, the output lookup fields overwrite existing fields.

If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist.

In few words:

update=True is only for real-time searches,
OUTPUT overrides existing fields, OUTPUTNEW no.

Ciao.

Giuseppe

Re: Can anyone explain what does these lookup statements mean ?

zacksoft_wf — Tue, 01 Mar 2022 11:01:43 GMT

Is the 'subject' field of the lookup 'SpamIntel_by_email_subject' getting updated , as a result of this command ?

Re: Can anyone explain what does these lookup statements mean ?

gcusello — Tue, 01 Mar 2022 11:40:08 GMT

Hi @zacksoft_wf,

no, it's the opposite:

using OUTPUT option, if you already have from the main search a value in one of the fields in OUTPUT, it's ovewritten by the value of the lookup.

To override a value in a lookup, you have to use outputlookup but it's a different thing.

Ciao.

Giuseppe

Re: Can anyone explain what does these lookup statements mean ?

zacksoft_wf — Tue, 01 Mar 2022 12:10:47 GMT

@gcusello
In my lookup command after OUTPUT there is no field, and thats what makes me wonder what field will overwrite/write what...after comparing with what
Let me put the code

| tstats `summariesonly` values(sourcetype) as sourcetype,
values(Email.src) as src,
values(Email.dest) as dest
from datamodel=Email.Email
by Email.subject
| `drop_dm_object_name("Email")`
| lookup update=true SpamIntel_by_email_subject subject OUTPUT

What's the SPL doing where ?
Sorry for the stupid question but this particular lookup command usage confuses me .

Re: Can anyone explain what does these lookup statements mean ?

gcusello — Tue, 01 Mar 2022 12:40:21 GMT

Hi @zacksoft_wf,

after OUTPUT you have to list the lookup fields you want, e.g.:

| lookup update=true SpamIntel_by_email_subject subject OUTPUT field1 field2 field3

Ciao.

Giuseppe