Splunk Search

Are there any use cases that justify the over-head of automatic lookups?

Ultra Champion

Our team discourages all users from using automatic lookups due to the over-head incurred in each search query.

Are there any best practices around it?

Tags (2)

SplunkTrust
SplunkTrust

I would say that lookups that translate things into human, for example protocol numbers like 6 and 17 are TCP and UDP would be a good candidates. In this specific case the data set is limited, and, instead of doing all ~150 in a lookup you could do like the top 10 or 20 and even just put those into a regular .props "case" statement instead of a lookup.

One of the other main usecases I've used is user enrichment, where you have log events with users and everytime you want to investigate something you always need to know who is this user, what department are they in, what is their SAM acct, their phone, their email, the last time their password was changed, etc.

Contributor

@SloshBurch this sounds like a job for the best practices tag.

0 Karma

Ultra Champion

Thanks @grittonc!

I've added the best-practices tag and will review this when we start work on lookups (no ETA). Thanks again!

0 Karma