Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what is the difference between inputcsv and inputlookup?

asmithe
Path Finder
‎04-01-2014 01:46 PM

From the documentation it looks that the difference is mostly the file location of the input file.

Can anyone with more experience with these two search commands comment on why you might choose to use inputlookup vs. inputcsv?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎04-02-2014 09:08 AM

inputlookup treats the given lookup as input. If CSV files, lookups must be in $SPLUNK_HOME/etc/apps//lookups. Otherwise, they might be scripted or external_url lookups, in which case a script or URL is providing said input.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup

inputcsv treats the given CSV file as input. CSV files can only be used if they live in $SPLUNK_HOME/var/run/splunk.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputcsv

View solution in original post

Reply
Solved! Jump to solution

MuS
Legend
‎04-02-2014 11:34 PM

@somesoni2: thanks for this hint! using append=t works, without you will get the must be first search command error 😉

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎04-02-2014 09:08 AM

inputlookup treats the given lookup as input. If CSV files, lookups must be in $SPLUNK_HOME/etc/apps//lookups. Otherwise, they might be scripted or external_url lookups, in which case a script or URL is providing said input.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup

inputcsv treats the given CSV file as input. CSV files can only be used if they live in $SPLUNK_HOME/var/run/splunk.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputcsv

Reply
Solved! Jump to solution

aelliott
Motivator
‎04-02-2014 08:06 AM

inputcsv can be treated as "events" by setting a flag that will allow for timecharts of the data.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-02-2014 07:15 AM

Are you sure it should be the first command, I guess we can do things like "index=_internal | inputcsv abc.csv append=t"

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎04-01-2014 11:29 PM

as addition:
inputcsv must be the first command in a search, where as a lookup can be done anywhere in the search path

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-01-2014 02:07 PM

Portability of csv file can also be a factor for having a csv file added as lookup table file (under an app) so they can be deployed across various splunk instances as part of app package.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-01-2014 02:05 PM

One difference I can see is that you can restrict the execution of the command/access to csv data using role security using inputlookup. (inputlookup loads data from lookup table file/lookup definition file permissions for which can be set)

Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top