Skip to content

How to Use Splunk Inputlookup and Outputlookup Commands in 5 Minutes


Written by: Kinney Group | Last Updated:

June 12, 2023

Originally Published:

October 9, 2020

splunk search command examples


What is outputlookup in Splunk?

The outputlookup command is a way to save any search you’ve made as a lookup table. This command works by turning search results into lookup tables so that the data can be retrieved later using an inputlookup command.

New call-to-action

What is inputlookup in Splunk?

The Inputlookup command is used to retrieve data from a Splunk lookup. Rather than searching for the .csv file, or even creating an output lookup every time you need the .csv in a lookup table, you can create an output lookup once to retrieve it, almost instantaneously, as many times as you need it with an inputlookup.

Splunk Tip: The downside to output and input lookup commands is that your .csv file is static, so the data will only be current as of the last time you updated that file.

How To Use outputlookup

Whenever you find yourself with a results table that you’d like to hold onto, use outputlookup. When you throw outputlookup at the end of the search, it will turn the results into a lookup that you can use independently.

Here’s the syntax for outputlookup:

Syntax: |outputlookup <lookup_name>.csv

Using outputlookup in Splunk

Figure 1 – Using outputlookup in Splunk

There are a few extra lines that can be added if need be. Lines like append=true and overwrite=true will change based on how the lookup is created.

Outputlookup really shines when it comes to building out a list of suspicious values in Splunk (such as a watchlist, blacklist, or whitelist).  All it takes is to build out a results table in Splunk that contains the information you need.

How To Use inputlookup

Where the lookup search command allows you to join fields from a lookup to the data from search, inputlookup will allow you to just view or start with the lookup. This can be used at the beginning of a search, halfway through (using append or join), or where you see fit to bring in a lookup. Starting a search with an inputlookup can drastically increase search speeds, so keep an eye out if it applies to any of your use cases.

Here’s the syntax for inputlookup:

|intputlookup <lookup_name>.csv

Using inputlookup in Splunk

Figure 2 – Using outputlookup in Splunk

Splunk Pro Tip: There’s a super simple way to run searches simply—even with limited knowledge of SPL— using Search Library in the Atlas app on Splunkbase. You’ll get access to thousands of pre-configured Splunk searches developed by Splunk Experts across the globe. Simply find a search string that matches what you’re looking for, copy it, and use right in your own Splunk environment. Try speeding up your inputlookup and outputlookup commands right now using these SPL templates, completely free.

Run a preconfigured Splunk search for free

Run a pre-Configured Search for Free

New call-to-action

Splunk Lookup Use Case Examples

1. How To Find a List of All Lookups in Splunk

Step 1: Go to Settings

Step 2: Click Tables

Step 3: Search for your .csv file

2. How To Adjust Permissions for Lookups in Splunk

Step 1: Search for the lookup table you want to adjust permissions for.

Step 2: Hover over to Sharing and select Permissions.

Step 3: Choose who can have Read or Write Permissions

3. How To Reference a Lookup Table From Excel

If you want to upload a lookup table to reference from Excel, follow these steps.

Step 1: Select New Lookup Table File

Step 2: Choose a file that ends with .csv

Step 3: Save your file

If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.

New call-to-action

Helpful? Don't forget to share this post!
Share on linkedin
Share on reddit
Share on email
Share on twitter
Share on facebook

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *