Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help understanding Appending to Lookup file

neerajs_81
Builder
‎02-14-2022 03:36 AM

Hi All,
I have the below search.  I am being told it appends results to a lookup table called user_ids.   

 

index=ad earliest=-15d
|stats latest(_time) as _time, latest(profile.department) as bunit, latest(profile.legacyUsername) as legacyUsername, latest(profile.userType) as category by userID
| append [|inputlookup user_ids]

 


In all the posts i have seen so far, people recommend using outputlookup command to append  

Can someone pls explain  how does append [|inputlookup user_identities]  end up appending  in my case ? How is this different than 

| outputlookup append=true user_ids.csv 
Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2022 03:40 AM

Hi @neerajs_81,

the append command is use to append the results of a subsearch (also from a lookup) to the results of the main search.

If I correctly understood, you need to append the results of a search to a lookup, if this is correct, you have to use the outputlookup.

You can find information about both the commands at 

https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Append 

https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Outputlookup

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2022 03:40 AM

Hi @neerajs_81,

the append command is use to append the results of a subsearch (also from a lookup) to the results of the main search.

If I correctly understood, you need to append the results of a search to a lookup, if this is correct, you have to use the outputlookup.

You can find information about both the commands at 

https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Append 

https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Outputlookup

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎02-14-2022 04:01 AM

Thanks. So in my search what does 

| append [|inputlookup user_ids]

achieve?   Is it appending the results to that user_ids lookup file ? 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2022 04:03 AM

Hi @neerajs_81,

no it appends the rows of the lookup TO your search results, not To the lookup!

In other words: "| append [|inputlookup user_ids]" appends FROM user_id.csv not TO this lookup.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...