What is outputlookup in Splunk?
The outputlookup command is a way to save any search you’ve made as a lookup table. This command works by turning search results into lookup tables so that the data can be retrieved later using an inputlookup command.
What is inputlookup in Splunk?
The Inputlookup command is used to retrieve data from a Splunk lookup. Rather than searching for the .csv file, or even creating an output lookup every time you need the .csv in a lookup table, you can create an output lookup once to retrieve it, almost instantaneously, as many times as you need it with an inputlookup.
Splunk Tip: The downside to output and input lookup commands is that your .csv file is static, so the data will only be current as of the last time you updated that file.
How To Use outputlookup
Whenever you find yourself with a results table that you’d like to hold onto, use outputlookup. When you throw outputlookup at the end of the search, it will turn the results into a lookup that you can use independently.
Here’s the syntax for outputlookup:
Syntax: |outputlookup <lookup_name>.csv
Figure 1 – Using outputlookup in Splunk
There are a few extra lines that can be added if need be. Lines like append=true and overwrite=true will change based on how the lookup is created.
Outputlookup really shines when it comes to building out a list of suspicious values in Splunk (such as a watchlist, blacklist, or whitelist). All it takes is to build out a results table in Splunk that contains the information you need.
How To Use inputlookup
Where the lookup search command allows you to join fields from a lookup to the data from search, inputlookup will allow you to just view or start with the lookup. This can be used at the beginning of a search, halfway through (using append or join), or where you see fit to bring in a lookup. Starting a search with an inputlookup can drastically increase search speeds, so keep an eye out if it applies to any of your use cases.
Here’s the syntax for inputlookup:
|intputlookup <lookup_name>.csv
Figure 2 – Using outputlookup in Splunk
Splunk Pro Tip: There’s a super simple way to run searches simply—even with limited knowledge of SPL— using Search Library in the Atlas app on Splunkbase. You’ll get access to thousands of pre-configured Splunk searches developed by Splunk Experts across the globe. Simply find a search string that matches what you’re looking for, copy it, and use right in your own Splunk environment. Try speeding up your inputlookup and outputlookup commands right now using these SPL templates, completely free.
Run a pre-Configured Search for Free
Splunk Lookup Use Case Examples
1. How To Find a List of All Lookups in Splunk
Step 1: Go to Settings
Step 2: Click Tables
Step 3: Search for your .csv file
2. How To Adjust Permissions for Lookups in Splunk
Step 1: Search for the lookup table you want to adjust permissions for.
Step 2: Hover over to Sharing and select Permissions.
Step 3: Choose who can have Read or Write Permissions
3. How To Reference a Lookup Table From Excel
If you want to upload a lookup table to reference from Excel, follow these steps.
Step 1: Select New Lookup Table File
Step 2: Choose a file that ends with .csv
Step 3: Save your file
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.
No comment yet, add your voice below!