Skip to main content
Lantern Home
 
 
 
Splunk Lantern

Using inputlookup and lookup commands correctly

  1. Last updated
  2. Save as PDF

 

You might have seen the inputlookup and lookup commands used in searches and wondered how they are different. If you use Splunk Answers for information on the commands, you might find that some of your peers confuse them. They are not interchangeable. This article clarifies the difference.

inputlookup

This command loads the entire contents of a lookup table into the results set. You can use the where option to limit the rows read.

It is a generating command, but it can be used as a streaming command with the append option.

Use case

If you store asset information in a lookup file, you can use inputlookup to read the file for further processing in SPL. For example, you might want to know how many servers are running Windows 2016.

| inputlookup assets.csv WHERE os=”Windows 2016” 
| stats count

You can also use this command in a subsearch to filter data. This query searches the “foo” index for events where the “country” field contains the name of a country in North America.

index=foo [|inputlookup geo_attr_countries WHERE continent="North America" |fields country]

Examples

|inputlookup geo_attr_countries

clipboard_e4e25040b091234a513826791bd91e75c.png

|inputlookup geo_attr_countries WHERE country=Canada

clipboard_e1ce2d0f6c8d187b10ae1a6da035714a7.png

lookup

This command enriches a results set by adding new fields based on the values of one or more existing fields. For instance, you might want to associate an employee name to their email address or a host name with its location.

It is a streaming command.

Use case

  • Map a country name to an abbreviation using a built-in lookup file
    • |lookup geo_attr_countries country OUTPUT iso2
  • Map an email address to an employee name
    • |lookup employee.csv email_addr OUTPUT name
  • Resolve an IP address
    • |lookup dnslookup clientip AS src_ip
  • Get a host’s location
    • |lookup assets.csv host OUTPUT location

Examples

|eval country="Canada"
|lookup geo_attr_countries country

clipboard_e5fce58e855b99eed8f7fd2b13f809a0c.png

|eval continent="North America"
|lookup geo_attr_countries continent

clipboard_ed80618f5cd7e3fedfaa35c2697e5d197.png

Next steps

These additional Splunk resources might help you understand and implement this product tip: