Splunk Search

kvstore lookups and efficiency


I wanted to get peoples thoughts on using multiple data sources in Splunk and whether it’s worth doing some processing to join these together or Splunk is good enough in doing this from joining multiple lookups together at search time. For example, we have CloudPassage and Qualys data as well as any other asset data that could be joined together to give us a fairly extensive view of assets (at least in AWS). Does it make sense to do some postprocessing of the lookups into a single larger table or keep them separate?

0 Karma

Esteemed Legend

It is trivial to join them together like this:

| inputlookup Asset1 | appendpipe [|inputlookup Asset2] | appendpipe [|inputlookup Asset3] ... etc.

It is also trivial to lookup separately like this:

... | lookup Asset1 | lookup Asset2 | lookup Asset3 | ... etc.

On top of that you can put each of these inside a macro so you can administer it in a single place.
Therefore, I say keep separate stuff separate.