Solved: What is the difference between a standard lookup a...

pdenorch · ‎10-26-2022

I'm not having any luck finding what the functional differences are between a lookup created in splunk core ( Settings > Lookups > add new) that lives in the ES app context, and a managed lookup created from the content management page ( ES > configure > Content Management > Create New Content ).

I have created and experimented with both and I can't find any functional difference. The documentation describes how to create managed lookups but I'm not finding anything on what the point is.

starcher · ‎10-26-2022

All managed means is you can edit the lookup with the UI editor in ES. As long as it’s not too large.

View solution in original post

gcusello · ‎10-26-2022

Hi @pdenorch,

they are both lookups that you can edit using the Lookup Editor App and/or use in your searches, inside and outside ES.

The only difference is that the ES Managed Lookups are part of ES, so the lookup itself and the generating searches are inside ES and you can enable or disable inside ES instead using the Settings menu.

Ciao.

Giuseppe

gcusello · ‎10-27-2022

Hi @pdenorch,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

starcher · ‎10-26-2022

All managed means is you can edit the lookup with the UI editor in ES. As long as it’s not too large.

What is the difference between a standard lookup and an Enterprise Security managed lookup?

lookup

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?