Lookups vs Events Questions

user4455 · ‎01-16-2016

I'm trying to understand what, exactly, lookup tables are. It seems like getwatchlist just populates Splunk like any other data import by outputting csv formatted data into Splunk. I didn't see anything in the code that mentioned lookup tables or even indexes.

So, the command is run, data changed to csv, and sent to Splunk. That's where I get a bit confused. What makes it a lookup table? Looking at the source, there is no transforms.conf, so I'm not even sure how the lookup table name is set. It would seem to be the Profile Name from the getwatchlists.conf.

Thanks!

esix_splunk · ‎01-16-2016

Lookups can also be stored in the KVStore now a days. These aren't static on disk, per say, as csv lookups. However, they function in a near similar manner, but depending on your lookups, it can be better for performance (large lookups, better performance.)

http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/ConfigureKVstorelookups

somesoni2 · ‎01-16-2016

Lookup tables are static table, in CSV format, which enrich your search results by matching field(s) from your search results and adding corresponding fields from the lookup table. They are available in lookups folder under your app or under etc/system. They don't required any .conf entry. More details here.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addfieldsfromexternaldatasources

Lookups vs Events Questions

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!