Splunk Search

What is the difference between lookup, input lookup and what a definition lookup is for ?

darphboubou
Explorer

Hi,

 

As asked in the subject  I trying to figure out the difference between lookup input lookup because I  don't think I get it.

 

in this research for example:

 

index=windows EventCode=4624 [ | inputlookup damtest2.csv | rename Server AS Workstation_Name | fields Workstation_Name ]
| lookup damtest2.csv Server AS Workstation_Name OUTPUT os
| table Workstation_Name os Package_Name__NTLM_only_ 
| dedup Workstation_Name 
| sort Workstation_Name

 

plus What is the use case of a definition lookup. The command above works without lookup definition for example.

 

Regards

 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou,

in few words:

the lookup command is a join betweeen the main search and the lookup, using the defined key.

The inputlookup command is a command to list the contents of a lookup.

If you need to enrich the results of a search, using the contents of a lookup, you have to use the lookup command.

If instead you want to list the content of a lookup to display records or to use them in a subsearch, you have to use the inputlookup command.

Infact in your sample search, you use the inputlookup in a subsearch to filter results from the main search and the lookup command to use some information in the lookup to enrich your results.

About lookup definition, sincerely I'm not sure about it's sense, probably it's mandatory in kv-store lookups.

Anyway, add always lookup's definition to avoid problems in searches.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou,

in few words:

the lookup command is a join betweeen the main search and the lookup, using the defined key.

The inputlookup command is a command to list the contents of a lookup.

If you need to enrich the results of a search, using the contents of a lookup, you have to use the lookup command.

If instead you want to list the content of a lookup to display records or to use them in a subsearch, you have to use the inputlookup command.

Infact in your sample search, you use the inputlookup in a subsearch to filter results from the main search and the lookup command to use some information in the lookup to enrich your results.

About lookup definition, sincerely I'm not sure about it's sense, probably it's mandatory in kv-store lookups.

Anyway, add always lookup's definition to avoid problems in searches.

Ciao.

Giuseppe

darphboubou
Explorer

Hi @gcusello,

 

A question at the end of the first line (see the begining of the threat). you put

fields Workstation_Name ]

 

What is the purpose of this command ?

 

Regards

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou,

when you use a subsearch, you have to specify which fields of the subsearch must be used as key, in your case "Workstation_Name" and beware to the case because field names are case sensitive.

Ciao.

Giuseppe

0 Karma

darphboubou
Explorer

ok and you can stipulate more than one ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou,

yes all the fields you want, but if you use more fields ad key, the exact combination must match between main and sub search.

Ciao.

Giuseppe

0 Karma

darphboubou
Explorer

ok no need comma or semin column between the searched fields ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @darphboubou,

nothing: no commas or other between fields.

You have only to put attention to the field names.

ciao.

Giuseppe

darphboubou
Explorer

thanks for you quick resply 🙂

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...