Lookup query - What does append=T mean ?

splunker12er · ‎06-25-2014

What does the below statement mean ?

If 'append' is set to true (false by default), the data from the lookup file is appended to the current set of results rathering than replacing it.

I use lookup like below,

[mysearch] | lookup MyLookup field_1 as field_1 OUTPUTNEW field_2 field_3

So , with reference to field_1 value , i do obtain field_2 , field_3 ..etc

what does that statement say, how append=t works ?

martin_mueller · ‎06-25-2014

The append option is part of inputlookup, not lookup - see http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/inputlookup for reference.

There it means you can add ... | inputlookup my_lookup append=t to the end of a search pipeline to append the data from the lookup file to the current search results. Without the append you can only use inputlookup as a generating command at the beginning of the pipeline.

martin_mueller · ‎06-25-2014

append=t has nothing to do with the lookup command, but rather with the inputlookup command which does something entirely different.

splunker12er · ‎06-25-2014

How the field values in my_lookup will be appended to my current search ? I mean ,on what basis or reference ?

Lookup query - What does append=T mean ?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Lookup query - What does append=T mean ?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I