Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: What does format do after a table lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I inherited a search that contains he following line;
[| inputlookup <lookup table name> | format ]
and I can't figure out what it does. The table contains one column with a title of my_field. The data is numbers and subnet addresses, (Like 1.2.3.4/24). Now there is a field from the raw event called my_field, but I can't figure out how everything works together.
After the line there is the ~stats~ portion of the search that summarizes the data and my_field is mentioned like below;
| stats sum(field_b) by my_field
but I'm not sure what the lookup does for me. I guess I'm trying to understand what the inputlookup format above does. I can't really find anything in the docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your description of the search, I suspect the search is structured to use the data in the lookup file as a search filter, which will narrow the results of the base search to only events containing my_field values that are present in the lookup file.
As @mayurr98 pointed out, the format command itself isn't really doing much in the context of this search, because it's used implicitly in subsearches anyway.
If I'm correct about the intention of the user who wrote the search, it's probably structured like this:
index=something sourcetype=whatever
[| inputlookup <lookup table>
| format ]
| stats sum(field_b) by my_field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your description of the search, I suspect the search is structured to use the data in the lookup file as a search filter, which will narrow the results of the base search to only events containing my_field values that are present in the lookup file.
As @mayurr98 pointed out, the format command itself isn't really doing much in the context of this search, because it's used implicitly in subsearches anyway.
If I'm correct about the intention of the user who wrote the search, it's probably structured like this:
index=something sourcetype=whatever
[| inputlookup <lookup table>
| format ]
| stats sum(field_b) by my_field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. It makes a lot more sense now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FORMAT- This command is used implicitly by subsearches. This command takes the results of a subsearch, formats the results into a single result and places that result into a new field called search.
Refer this doc for more info.
https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Format
You can run | inputlookup <lookup table name> | format seperately to see what you get in search field and then you may try to understand query.
let me know if this helps!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Continue Your Federation Journey: Join Session 3 of the Bootcamp Series
Announcing Modern Navigation: A New Era of Splunk User Experience
Casting Call: Compete in Cyber Games
