Am curious what the performance difference is between sorted and unsorted lookups (sorting by the primary search key of course), or if there is any.
Lookups are only indexed over a certain size:
http://splunk-base.splunk.com/answers/8326/are-lookup-tables-indexed
http://splunk-base.splunk.com/answers/10160/at-what-point-do-very-large-lookup-files-csv-get-indexed
I tested using a sorted and then randomized lookup table. The results are below.
Sorted lookup table:
Duration (seconds) Component Invocations Input count Output count
147.425 command.lookup 302 104 104
Randomized lookup table:
Duration (seconds) Component Invocations Input count Output count
199.059 command.lookup 301 104 104
Caveats:
Lookups are indexed (either in memory or on disk), so I doubt that there is any advantage to presorting the CSV file.