https://community.splunk.com/t5/Splunk-Search/Outputlookup-Before-Lookup/m-p/756794#M243132 <P>I'm working with a search that starts by filtering for all process events in Windows and then sending them to a lookup file using outputlookup&nbsp;with the 'append' flag set to false so it resets each run. For example, <EM>process_events.csv</EM><BR /><BR />The following lines then applies various filters to the search, brining it down to only a small handful of events.<BR /><BR />The next lines then use the lookup command to pull from the new lookup file created at the start with all the process events prior to filtering. Using it, I create fields showing the grandparent process for the remaining process events.<BR /><BR />With the grandparent process added, I use a subsearch in the below manner to filter out events which match a separate lookup table I use as a whitelist.</P><P>&nbsp;</P><LI-CODE lang="markup">| search NOT [ inputlookup whitelist | fields + src_hostname user grandparent_process_path parent_process_path process_path]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The issue, I'm afraid, is how Splunk's order of operations works. When the search runs on its schedule, it's like the lookup commands are parsed before the outputlookup command despite that not being how the search is written. Because of this, I feel like it checks the prior instance of <EM>process_events.csv&nbsp;</EM>before it's been regenerated by outputlookup with fresh data. As such, the grandparent_process_path field comes back as "n/a" rather than being filled properly so that it can be checked against the whitelist properly.<BR /><BR />Am I thinking along the right lines here? Is there some nuance of outputlookup I'm missing? If so, any ideas on fixing it, or am I gonna need to scrap this whole idea to add in grandparent processes to process event logs?</P> Fri, 26 Dec 2025 09:56:10 GMT dtaylor 2025-12-26T09:56:10Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Before-Lookup/m-p/756794#M243132 <P>I'm working with a search that starts by filtering for all process events in Windows and then sending them to a lookup file using outputlookup&nbsp;with the 'append' flag set to false so it resets each run. For example, <EM>process_events.csv</EM><BR /><BR />The following lines then applies various filters to the search, brining it down to only a small handful of events.<BR /><BR />The next lines then use the lookup command to pull from the new lookup file created at the start with all the process events prior to filtering. Using it, I create fields showing the grandparent process for the remaining process events.<BR /><BR />With the grandparent process added, I use a subsearch in the below manner to filter out events which match a separate lookup table I use as a whitelist.</P><P>&nbsp;</P><LI-CODE lang="markup">| search NOT [ inputlookup whitelist | fields + src_hostname user grandparent_process_path parent_process_path process_path]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The issue, I'm afraid, is how Splunk's order of operations works. When the search runs on its schedule, it's like the lookup commands are parsed before the outputlookup command despite that not being how the search is written. Because of this, I feel like it checks the prior instance of <EM>process_events.csv&nbsp;</EM>before it's been regenerated by outputlookup with fresh data. As such, the grandparent_process_path field comes back as "n/a" rather than being filled properly so that it can be checked against the whitelist properly.<BR /><BR />Am I thinking along the right lines here? Is there some nuance of outputlookup I'm missing? If so, any ideas on fixing it, or am I gonna need to scrap this whole idea to add in grandparent processes to process event logs?</P> Fri, 26 Dec 2025 09:56:10 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Before-Lookup/m-p/756794#M243132 dtaylor 2025-12-26T09:56:10Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Before-Lookup/m-p/756796#M243133 <P>Subsearches are performed first, before the main search executes.&nbsp; That's why there's nothing for the <FONT face="courier new,courier">lookup</FONT> command to find.</P> Fri, 26 Dec 2025 13:12:24 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Before-Lookup/m-p/756796#M243133 richgalloway 2025-12-26T13:12:24Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-Before-Lookup/m-p/756800#M243134 <P>This is basically the same problem you asked about last month (which you said you had solved), however, pursuing the other solutions offered at the time might prove more helpful in this instance?</P> Sat, 27 Dec 2025 00:10:33 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-Before-Lookup/m-p/756800#M243134 ITWhisperer 2025-12-27T00:10:33Z