At which layer lookup works?

rajeev_ku · ‎08-11-2019

Hi There,
Could anyone help me understand at which Splunk layer lookup works, I mean at input layer, indexer layer or search layer.

Thanks
Rajeev

nareshinsvu · ‎08-11-2019

Lookups are created at search layer

https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Aboutlookupsandfieldactions

Note - Maintain and Housekeep lookups on a regular basis. It creates bundles on INDEXER servers with huge amount of space.
Keep an eye on %SPLUNK_HOME%\var\run\searchpeers (on your INDEXER servers) which is a reflection of your lookup volumes (created on SEARCH servers)

diogofgm · ‎08-11-2019

Lookups work in the indexer and/or the search layer depending on how your search is written and on what you are looking up from the lookup

Example:
you have a "hostcategory" lookup that has host, category

if you search: index=your_index | lookup hostcategory host OUTPOUT category | stats count by category
this will use the lookup in the indexer.

on the other hand if you search: index=your_index | stats count by host | lookup hostcategory host OUTPOUT category
this will use the lookup in the search head since its being used after and aggregation function.

More information from docs:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Aboutlookupsandfieldactions

------------
Hope I was able to help you. If so, some karma would be appreciated.

At which layer lookup works?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience