Knowledge Management

what is the difference between inputcsv and inputlookup?

asmithe
Path Finder

From the documentation it looks that the difference is mostly the file location of the input file.

Can anyone with more experience with these two search commands comment on why you might choose to use inputlookup vs. inputcsv?

Tags (2)
1 Solution

araitz
Splunk Employee
Splunk Employee

inputlookup treats the given lookup as input. If CSV files, lookups must be in $SPLUNK_HOME/etc/apps//lookups. Otherwise, they might be scripted or external_url lookups, in which case a script or URL is providing said input.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup

inputcsv treats the given CSV file as input. CSV files can only be used if they live in $SPLUNK_HOME/var/run/splunk.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputcsv

View solution in original post

MuS
SplunkTrust
SplunkTrust

@somesoni2: thanks for this hint! using append=t works, without you will get the must be first search command error 😉

araitz
Splunk Employee
Splunk Employee

inputlookup treats the given lookup as input. If CSV files, lookups must be in $SPLUNK_HOME/etc/apps//lookups. Otherwise, they might be scripted or external_url lookups, in which case a script or URL is providing said input.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputlookup

inputcsv treats the given CSV file as input. CSV files can only be used if they live in $SPLUNK_HOME/var/run/splunk.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputcsv

aelliott
Motivator

inputcsv can be treated as "events" by setting a flag that will allow for timecharts of the data.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you sure it should be the first command, I guess we can do things like "index=_internal | inputcsv abc.csv append=t"

0 Karma

MuS
SplunkTrust
SplunkTrust

as addition:
inputcsv must be the first command in a search, where as a lookup can be done anywhere in the search path

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Portability of csv file can also be a factor for having a csv file added as lookup table file (under an app) so they can be deployed across various splunk instances as part of app package.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

One difference I can see is that you can restrict the execution of the command/access to csv data using role security using inputlookup. (inputlookup loads data from lookup table file/lookup definition file permissions for which can be set)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...