Splunk® Enterprise

Search Reference

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

inputlookup

Synopsis

Loads search results from a specified lookup table.

Syntax

inputlookup [append=<bool>] [start=<int>] [max=<int>] (<filename> | <tablename>)

Required arguments

<filename>
Syntax: <string>
Description: The name of the lookup file (must end with .csv or .csv.gz). If the lookup does not exist, Splunk displays a warning message, but it does not generate a syntax error).
<tablename>
Syntax: <string>
Description: The name of the lookup table as specified by a stanza name in transforms.conf. The lookup table can be configured for any lookup type (CSV, external, or KV store).

Optional arguments

append
Syntax: append=<bool>
Description: If set to true, the data returned from the lookup file is appended to the current set of results rather than replacing it. Defaults to false.
max
Syntax max=<int>
Description: Specify the maximum number of events to be read from the file. Defaults to 1000000000.
start
Syntax: start=<int>
Description: Specify the 0-based offset of the first event to read. If start=0, it begins with the first event. If start=4, it begins with the fifth event. Defaults to 0.

Description

Lets you search the contents of a lookup table as specified by a file name (must end with .csv or .csv.gz) or a lookup table configuration in transforms.conf. The lookup table can be a CSV lookup or a KV store lookup.

If append is set to true, Splunk Enterprise appends the data from the lookup file or KV store collection to the current set of results. append is set to false by default, which means that it replaces the current result set with the results from the lookup search.

For more information about lookup table configuration, see "Configure CSV and external lookups" and "Configure KV store lookups" in the Knowledge Manager Manual.

For more information about the App Key Value store, see "About KV store" in the Admin Manual.

Examples

Example 1: Read in a usertogroup lookup table that is defined in transforms.conf.

| inputlookup usertogroup

Example 2: Read in a usertogroup table that is defined by a stanza in transforms.conf. Append the fields to any current results.

| inputlookup append=t usertogroup

Example 3: Search the users.csv lookup file (under $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/<app_name>/lookups).

| inputlookup users.csv

Example 4: Search on the contents of the KV store collection kvstorecoll. It is referenced in a lookup table called kvstorecoll_lookup. Provide a count of the events received from the table.

| inputlookup kvstorecoll_lookup | stats count

Example 5: View internal key ID values for the KV store collection kvstorecoll, using the lookup table kvstorecoll_lookup. The internal key ID is a unique identifier for each record in the collection. This requires usage of the eval and table commands.

| inputlookup kvstorecoll_lookup | eval CustKey = _key | table CustKey, CustName, CustStreet, CustCity, CustState, CustZip

Example 6: Update field values for a single KV store collection record. This requires usage of inputlookup, outputlookup, and eval. The record is indicated by the its internal key ID (the _key field) and this search updates the record with a new customer name and customer city. The record belongs to the KV store collection kvstorecoll, which is accessed through the lookup table kvstorecoll_lookup.

| inputlookup kvstorecoll_lookup | search _key=544948df3ec32d7a4c1d9755 | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup kvstorecoll_lookup append=True

Example 7: Write the contents of a CSV file to the KV store collection kvstorecoll using the lookup table kvstorecoll_lookup. This requires usage of both inputlookup and outputlookup.

| inputlookup customers.csv | outputlookup kvstorecoll_lookup

See also

inputcsv, join, lookup, outputlookup

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the inputlookup command.

PREVIOUS
inputcsv
  NEXT
iplocation

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12


Comments

What does it mean to use |inputlookup with an external lookup? How does an external lookup author recognize her script is being invoked via inputlookup as opposed to traditional field mapping? What output should an external lookup author produce?

Jrodman
October 31, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters