Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup query - What does append=T mean ?

splunker12er
Motivator
‎06-25-2014 02:13 AM

What does the below statement mean ?

If 'append' is set to true (false by default), the data from the lookup file is appended to the current set of results rathering than replacing it.

I use lookup like below,

[mysearch] | lookup MyLookup field_1 as field_1 OUTPUTNEW field_2 field_3

So , with reference to field_1 value , i do obtain field_2 , field_3 ..etc

what does that statement say, how append=t works ?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-25-2014 02:21 AM

The append option is part of inputlookup, not lookup - see http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/inputlookup for reference.

There it means you can add ... | inputlookup my_lookup append=t to the end of a search pipeline to append the data from the lookup file to the current search results. Without the append you can only use inputlookup as a generating command at the beginning of the pipeline.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-25-2014 04:18 AM

append=t has nothing to do with the lookup command, but rather with the inputlookup command which does something entirely different.

0 Karma
Reply

splunker12er
Motivator
‎06-25-2014 03:34 AM

How the field values in my_lookup will be appended to my current search ? I mean ,on what basis or reference ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top