Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookups vs Events Questions

user4455
Explorer
‎01-16-2016 03:13 PM

I'm trying to understand what, exactly, lookup tables are. It seems like getwatchlist just populates Splunk like any other data import by outputting csv formatted data into Splunk. I didn't see anything in the code that mentioned lookup tables or even indexes.

So, the command is run, data changed to csv, and sent to Splunk. That's where I get a bit confused. What makes it a lookup table? Looking at the source, there is no transforms.conf, so I'm not even sure how the lookup table name is set. It would seem to be the Profile Name from the getwatchlists.conf.

Thanks!

Tags (1)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-16-2016 08:22 PM

Lookups can also be stored in the KVStore now a days. These aren't static on disk, per say, as csv lookups. However, they function in a near similar manner, but depending on your lookups, it can be better for performance (large lookups, better performance.)

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/ConfigureKVstorelookups

0 Karma
Reply

somesoni2
Revered Legend
‎01-16-2016 06:52 PM

Lookup tables are static table, in CSV format, which enrich your search results by matching field(s) from your search results and adding corresponding fields from the lookup table. They are available in lookups folder under your app or under etc/system. They don't required any .conf entry. More details here.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addfieldsfromexternaldatasources

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...