https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316318#M94674 <P>Thanks. It makes a lot more sense now.</P> Fri, 06 Apr 2018 19:10:49 GMT OldManEd 2018-04-06T19:10:49Z https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316315#M94671 <P>I inherited a search that contains he following line;</P> <PRE><CODE>[| inputlookup &lt;lookup table name&gt; | format ] </CODE></PRE> <P>and I can't figure out what it does. The table contains one column with a title of my_field. The data is numbers and subnet addresses, (Like 1.2.3.4/24). Now there is a field from the raw event called my_field, but I can't figure out how everything works together.</P> <P>After the line there is the ~stats~ portion of the search that summarizes the data and my_field is mentioned like below;</P> <PRE><CODE>| stats sum(field_b) by my_field </CODE></PRE> <P>but I'm not sure what the lookup does for me. I guess I'm trying to understand what the inputlookup format above does. I can't really find anything in the docs.</P> Tue, 29 Sep 2020 18:53:58 GMT https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316315#M94671 OldManEd 2020-09-29T18:53:58Z https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316316#M94672 <P>FORMAT- This command is used implicitly by subsearches. This command takes the results of a subsearch, formats the results into a single result and places that result into a new field called search.<BR /> Refer this doc for more info.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Format">https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Format</A><BR /> You can run <CODE>| inputlookup &lt;lookup table name&gt; | format</CODE> seperately to see what you get in search field and then you may try to understand query.</P> <P>let me know if this helps!</P> Fri, 06 Apr 2018 17:16:45 GMT https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316316#M94672 mayurr98 2018-04-06T17:16:45Z https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316317#M94673 <P>Based on your description of the search, I suspect the search is structured to use the data in the lookup file as a search filter, which will narrow the results of the base search to only events containing <CODE>my_field</CODE> values that are present in the lookup file. </P> <P>As @mayurr98 pointed out, the <CODE>format</CODE> command itself isn't really doing much in the context of this search, because it's used implicitly in subsearches anyway. </P> <P>If I'm correct about the intention of the user who wrote the search, it's probably structured like this:</P> <PRE><CODE>index=something sourcetype=whatever [| inputlookup &lt;lookup table&gt; | format ] | stats sum(field_b) by my_field </CODE></PRE> Fri, 06 Apr 2018 17:22:10 GMT https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316317#M94673 elliotproebstel 2018-04-06T17:22:10Z https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316318#M94674 <P>Thanks. It makes a lot more sense now.</P> Fri, 06 Apr 2018 19:10:49 GMT https://community.splunk.com/t5/Splunk-Search/What-does-format-do-after-a-table-lookup/m-p/316318#M94674 OldManEd 2018-04-06T19:10:49Z