Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

savedsearch vs outputlookup- Which one is more efficient to use and should be used as default?

MaxJ
New Member
‎11-08-2022 05:03 AM

I run large searches at the start of each month. Generally I use the saved search commands to retrieve the results on dashboards - e.g. | savedsearch report_name. However, we sometimes use outputlookup at the end of the search and inputlookup to retrieve the data on the dashboard - e.g. | outputlookup report_file.csv. 

I have recently had some issues with saved search:

  • jobs being deleted that causes my saved searches disappear
  • For saved searches to be refreshed the report needs to rescheduled and run again
  • Odd behaviour with reports running but data not actually being picked up by dashboards

These issues do not apply to outputlookup reports which can more easily be re-run and also can easily be edited with lookup editor if required.

Can anybody tell me which is more efficient to use and should be the default option? Are there any advantages and disadvantages to either command I have not considered?

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2022 06:18 AM

savedsearch and outputlookup (we really should be talking about intputlookup) are very different commands.

The savedsearch command returns data from your indexes (although they also can access lookups, databases, and any other source available with SPL) whereas inputlookup only looks at lookup files.  The former is presumed to be using fresh data (it depends on the search), but lookups could be stale.

Lookups can be manipulated, but that's harder to do with indexed data.

Lookups can be deleted, too.

The command to use depends on your needs.  Use the one that does the job you need to do.

Which is more efficient?  It depends.  Searches can be very efficient or not, depending on what they do.  Lookups can be fast, but they have to be maintained and that maintenance process may be very inefficient.  Also, lookups (usually) are part of the knowledge bundle sent to each indexer so a lot of lookups or very large lookups can make the bundle process inefficient.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 06:10 AM

Hi @MaxJ,

if the result to display is fixed and you don't need to know the old values, I'd use the lookup.

If the result need to consider also the time variance (e.g. results of the last month) you could use a Summary index.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...