utreadlookup
utreadlookup fetches a lookup file from Cribl Stream and creates a resultset based on the content of the lookup. The resulting table can be manipulated and used in Splunk as any other table. Due to some limitations with custom search commands, utreadlookup does not provide an append option. If you want to append fetched content (less than 50'000 rows) from Cribl Stream to an existing result set, use a SPL similar to the following snippet:
| makeresults count=100
| append
[ | utreadlookup instance="<string>" lookup_name="<string>" ]
If you need more than 50'000 rows, either resort to a seperate utreadlookup search that writes into a Splunk lookup or increase subsearch_maxout in limits.conf.
Arguments
| Name | Description | Example |
|---|---|---|
| instance | Instance from which to read the lookup from, supports multiple instances in a comma seperated list | dev |
| lookup_name | Name of the lookup that should be read from Cribl Stream | model_relative_entropy_top_domains.csv |
Examples
Reading a .csv lookup from Cribl Stream
Run the following SPL search to read a lookup from Cribl Stream and save it to a lookup in Splunk:
