Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

inputlookup special fields

acadea
Explorer
‎06-24-2021 06:00 AM

Hello,
I have recently found there is a strange difference between lookup and inputlookup commands.

 

|makeresults | eval uid="asdf" | lookup mydata uid 

|makeresults | eval uid="asdf" | join uid [| inputlookup mydata]

 

The "mydata" lookup is a kvstore collection, with the following columns
uid, name, address, fields
I was expecting these two queries to have the same results, but no.
It seems the column "fields" is an array and it's returning a lot of data when used with the inputlookup command , which is not the case with the first (lookup) query.

The lookup results are like this:
_key | uid  | name | address | fields
...  | asdf | john | yes     | (empty)

The inputlookup results are like this:

_key | uid  | name | address | fields.town | fields.country
...  | asdf | john | yes     | chicago     | usa

I didn't find any documentation about this.
Your input is welcomed.
Thanks

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2021 07:29 AM

Yes, there is a difference between lookup and inputlookup, but it's not that strange.

The lookup command searches a lookup table for the given field(s) and returns the corresponding fields for the found value.  It's like getting someone's phone number from a telephone directory (remember those?) - find name, return number.

The inputlookup command returns the entire contents of the lookup file (unless the where option is used).  It's the equivalent of saying "read to me the whole phone book".  It has nothing to do with how the columns are named.

I hope this explains why your queries behave the way they do.

---
If this reply helps you, Karma would be appreciated.
Reply

acadea
Explorer
‎06-24-2021 07:36 AM

that's the definition, it's obvious they are different commands

but the results of those two commands should have been the same.

I'm still digging, it seems the "fields" it's an array

that makes me think lookup cannot deal with displaying  arrays while inputlookup can show them

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2021 07:42 AM

I think the difference in output comes from the join command,  By default, it uses an inner join when perhaps you're expecting an outer join.

Try 

|makeresults | eval uid="asdf" | join type=outer uid [| inputlookup mydata]

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

acadea
Explorer
‎06-24-2021 07:45 AM

thank you,
I've edited/updated the initial question with an example

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...