Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the difference between action.lookup and action.populate_lookup?

ruman_splunk
Splunk Employee
Splunk Employee
‎01-12-2022 05:26 PM

https://docs.splunk.com/Documentation/Splunk/latest/admin/savedsearchesconf mentions two lookup-generating actions: action.lookup and action.populate_lookup.

Some of the differences are clear, though not explicitly listed, in the docs. What's the complete set of differences? When should I use one or the other and when do I have to use outputlookup?

action.lookup = <boolean>
* Specifies whether the lookup action is enabled for this search.
* Default: false

action.lookup.filename = <lookup filename>
action.lookup.append = <boolean>

and

action.populate_lookup = <boolean>
* Specifies whether the lookup population action is enabled for this search.
* Default: false

action.populate_lookup.dest = <string>
run_on_startup = <boolean>
run_n_times = <unsigned integer> 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ruman_splunk
Splunk Employee
Splunk Employee
‎01-12-2022 05:31 PM
  • appending
    • action.lookup allows for appending.
    • action.populate_lookup does not.
  • specifying a target lookup
    • action.lookup requires a filename (relative to the current app).
    • action.populate_lookup allows you to specify a transforms stanza or path for the lookup, and allows you to update a lookup in some other app or in etc/system/lookups.
  • limits
    • action.lookup has a 50K row limit.
    • action.populate_lookup does not have a limit.
  • scheduling
    • action.populate_lookup has additional scheduling options run_on_startup and run_n_times.

See also: https://community.splunk.com/t5/Splunk-Search/quot-outputlookup-quot-vs-quot-action-populate-lookup-...

So, you can't use savedsearches.conf to configure a lookup action if you need to append more than 50K results - must use outputlookup in this case.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ruman_splunk
Splunk Employee
Splunk Employee
‎01-12-2022 05:31 PM
  • appending
    • action.lookup allows for appending.
    • action.populate_lookup does not.
  • specifying a target lookup
    • action.lookup requires a filename (relative to the current app).
    • action.populate_lookup allows you to specify a transforms stanza or path for the lookup, and allows you to update a lookup in some other app or in etc/system/lookups.
  • limits
    • action.lookup has a 50K row limit.
    • action.populate_lookup does not have a limit.
  • scheduling
    • action.populate_lookup has additional scheduling options run_on_startup and run_n_times.

See also: https://community.splunk.com/t5/Splunk-Search/quot-outputlookup-quot-vs-quot-action-populate-lookup-...

So, you can't use savedsearches.conf to configure a lookup action if you need to append more than 50K results - must use outputlookup in this case.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...