- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup OUTPUTNEW Behavior
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup OUTPUTNEW Behavior
Hello,
I have a wrong behavior on lookup command with OUTPUTNEW options.
What I'm trying to achieve is to update the host_name of an asset from source2, if source1 doesn't provide a host_name.
| lookup source1 host_ip OUTPUT host_name
| eval host_name= if(host_name=="NONE", NULL, host_name)
| lookup source2 host_ip OUTPUTNEW host_name
So for a specific IP, source1 provides a host_name, but I have "NONE" because source2 lookup doesn't know the host_name.
This behavior seems to be incorrect if we read the Splunk documentation :
If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist.
So source2 lookup should not be performed.
Anyone has an idea about what's going on ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Source 2 lookup will not “stomp” on events that already have host_name. The lookup will still be executed however.
So you should get the same results if you do the search without the eval.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think that EVAL is the cause.
↓"host_name" is added only to matching data.
| lookup source1 host_ip OUTPUT host_name
↓"host_name" will be added to everything
| eval host_name= if(host_name=="NONE", NULL, host_name)
↓Do not update because there is "host_name" in everything
| lookup source2 host_ip OUTPUTNEW host_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm not totally agree with you :
↓"host_name" is added if IP is known from source1
| lookup source1 host_ip OUTPUT host_name
↓if host_name is known from source1, then keep the host_name, otherwise, set it to NULL (which I hope that it will 'delete' the field)
| eval host_name= if(host_name=="NONE", NULL, host_name)
↓if host_name already exists, then do nothing, otherwise try to find a match
| lookup source2 host_ip OUTPUTNEW host_name
This behavior it's confirmed if I use only:
| lookup source1 host_ip OUTPUT host_name
| eval host_name= if(host_name=="NONE", NULL, host_name)
I have a host_name
But when I add
| lookup source2 host_ip OUTPUTNEW host_name
I have 'NONE' as host_name which is the behavior of no match (but lookup is performed despite of 'OUTPUTNEW' clause)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When is host_name added?
It does not delete the field. Just set the field to NULL.
>↓if host_name is known from source1, then keep the host_name, otherwise, >set it to NULL (which I hope that it will 'delete' the field)
>| eval host_name= if(host_name=="NONE", NULL, host_name)
So I think that this is OK.
| lookup source1 host_ip OUTPUT host_name
| lookup source2 host_ip OUTPUTNEW host_name
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
