Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Inputlookup subsearch and join

darioapis
Explorer
‎07-09-2019 12:13 AM

I have a question about two searches. The first one is much more faster than the second one, but I think that they do the same thing so I am wondering am I right about that assumption.

First search
index=windows | join user [| inputlookup default_user_accounts.csv | fields user ]
Second search
index=windows [| inputlookup default_user_accounts.csv | fields user ]

0 Karma
Reply

HiroshiSatoh
Champion
‎07-09-2019 02:27 AM

Normally, JOIN is not used in extraction.

First search

index=windows | join user [| inputlookup default_user_accounts.csv | fields user ]

The default is INNER JOIN, so logs that are not JOIN will be deleted. It's slow because it will join. It is not usually used as an extraction condition.

Second search 

index=windows [| inputlookup default_user_accounts.csv | fields user ]
↓
index=windows (user=A OR user=b OR user=c)

As it is converted as above and search is fast.

Do this if you want to use lookups. Lookup is faster than JOIN.

 index=windows 
| lookup default_user_accounts.csv user OUTPUT my_fields
| where notisnull(my_fields)
Reply

starcher
Influencer
‎07-09-2019 06:24 AM

Also join has limits and will clip your results. Friends don't let friends use JOIN

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-09-2019 12:55 AM

Hi darioapis,
the join command it isn't a fast command, so it must be used only when you haven't any other solution!
In addition the lookup command is substancially a join command, so you don't need to use the join command, but it's very faster the lookup command.
So I suggest to use something like this:

index=windows 
| lookup default_user_accounts.csv user OUTPUT my_fields

Beware that the key field must be the same both in search and lookup, if not, use the option lookup_user AS user after the lookup definition.
For more information see https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Lookup .

Bye.
Giuseppe

P.S. a quick tip: when you use Splunk, forget your DB approach, Splunk thinks different!

Reply

tiagofbmm
Influencer
‎07-09-2019 12:16 AM

Why aren't you trying the | lookup command on that ?

index=windows | lookup default_user_accounts.csv OUTPUT user

0 Karma
Reply

darioapis
Explorer
‎07-09-2019 12:52 AM

Would that be faster than a regular join?

0 Karma
Reply

tiagofbmm
Influencer
‎07-09-2019 12:54 AM

You can try it yourself but that should be the fastest way from my experience

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...