Splunk Search

kvstore lookups and efficiency

brent_weaver
Builder

I wanted to get peoples thoughts on using multiple data sources in Splunk and whether it’s worth doing some processing to join these together or Splunk is good enough in doing this from joining multiple lookups together at search time. For example, we have CloudPassage and Qualys data as well as any other asset data that could be joined together to give us a fairly extensive view of assets (at least in AWS). Does it make sense to do some postprocessing of the lookups into a single larger table or keep them separate?

0 Karma

woodcock
Esteemed Legend

It is trivial to join them together like this:

| inputlookup Asset1 | appendpipe [|inputlookup Asset2] | appendpipe [|inputlookup Asset3] ... etc.

It is also trivial to lookup separately like this:

... | lookup Asset1 | lookup Asset2 | lookup Asset3 | ... etc.

On top of that you can put each of these inside a macro so you can administer it in a single place.
Therefore, I say keep separate stuff separate.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...