Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ignore automatic lookup just for a search

marcoscala
Builder
‎12-04-2013 03:32 AM

Hi!

do you think if there's a way to say Splunk to ignore automatic lookups just for a search? I'm configuring some custom reports on a Splunk installation with ES and PCI Apps. Those apps do an intensive usage of automatic lookups which are fine, but that introduce some overhead. Running my custom report I see from Search Inspector that the most time (28secs out of 31secs)is spent in command.search.lookups.

Is there a way to say: for this seach ignore automatic lookups?

Thanks a lot!

Reply

JimGat_SSI
New Member
‎10-27-2016 07:50 AM

Did you ever get an answer to this? I am wanting to disable the automatic lookups for specific searches using triggered fields.

0 Karma
Reply

lukejadamec
Super Champion
‎12-04-2013 06:28 AM

Automatic lookup are used when the search includes the lookup output. For example: If you have an input RETURNCODE and an output returncode_name, and you run a search like this:

search |table RETURNCODE

The cost for command.search.lookups will be zero.

If you run the search:

search |table returncode_name

The cost for command.search.lookups will have a value.

What you'll need to do is create your custom search so that it uses the inputs to the lookup, and not the outputs.

Reply

millern4
Communicator
‎08-24-2015 04:16 AM

Although this thread is quite old, I'd still like to see if anyone out there is still experiencing this exact same issue?

We've been working with support for some time now to troubleshoot poor search performance on our (4) ES SH Cluster where a majority of our time is spent in command.search.lookups, where in our (6) Non ES SH Cluster running the exact same search produces lighting fast results.

We are obviously aware of the nature of how ES functions with the automatic lookups, but I"m curious as others experience with Enterprise Security searching vs non ES Search performance? Is it similar, better, worse, and how close is the experience between the environments for end users?

Thanks

Reply

lukejadamec
Super Champion
‎12-13-2013 05:17 PM

If this answer helped, please mark it as excepted.

0 Karma
Reply

lukejadamec
Super Champion
‎12-13-2013 08:34 AM

You can lead a horse to water....
Look, when you search for the sourcetype the search will of course find all fields and all associated look ups.

Like I said, you need to include in your search only fields that are not lookup fields.
Try this with your search and check the cost (this is very basic example):
sourcetype=vanguard |fields index

0 Karma
Reply

marcoscala
Builder
‎12-13-2013 07:49 AM

I'm sorry to contraddict your reply: in the Splunk for PCI app, for instance, everytime there's a host, src or dest field, the automatic lookups are fired to produce more infos from the assets.csv file. So the cost of in my case has always a quite significant value.

The search "sourcetype=vanguard" in the last 15m has the following costs:
1.959 events in 8,65 seconds.
5,021 command.search
4,049 command.search.lookups

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...