Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Outputlookup Before Lookup

dtaylor
Path Finder
Friday

I'm working with a search that starts by filtering for all process events in Windows and then sending them to a lookup file using outputlookup with the 'append' flag set to false so it resets each run. For example, process_events.csv

The following lines then applies various filters to the search, brining it down to only a small handful of events.

The next lines then use the lookup command to pull from the new lookup file created at the start with all the process events prior to filtering. Using it, I create fields showing the grandparent process for the remaining process events.

With the grandparent process added, I use a subsearch in the below manner to filter out events which match a separate lookup table I use as a whitelist.

 

| search NOT 
    [ inputlookup whitelist
    | fields + src_hostname user grandparent_process_path parent_process_path process_path]

 

 

The issue, I'm afraid, is how Splunk's order of operations works. When the search runs on its schedule, it's like the lookup commands are parsed before the outputlookup command despite that not being how the search is written. Because of this, I feel like it checks the prior instance of process_events.csv before it's been regenerated by outputlookup with fresh data. As such, the grandparent_process_path field comes back as "n/a" rather than being filled properly so that it can be checked against the whitelist properly.

Am I thinking along the right lines here? Is there some nuance of outputlookup I'm missing? If so, any ideas on fixing it, or am I gonna need to scrap this whole idea to add in grandparent processes to process event logs?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
Friday

This is basically the same problem you asked about last month (which you said you had solved), however, pursuing the other solutions offered at the time might prove more helpful in this instance?

Reply

richgalloway
SplunkTrust
SplunkTrust
Friday

Subsearches are performed first, before the main search executes.  That's why there's nothing for the lookup command to find.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...