Skip to main content
Version: 1.0.0

utreadlookup

utreadlookup fetches a lookup file from Cribl Stream and creates a resultset based on the content of the lookup. The resulting table can be manipulated and used in Splunk as any other table. Due to some limitations with custom search commands, utreadlookup does not provide an append option. If you want to append fetched content (less than 50'000 rows) from Cribl Stream to an existing result set, use a SPL similar to the following snippet:

| makeresults count=100 
| append
[ | utreadlookup instance="<string>" lookup_name="<string>" ]

If you need more than 50'000 rows, either resort to a seperate utreadlookup search that writes into a Splunk lookup or increase subsearch_maxout in limits.conf.

Arguments

NameDescriptionExample
instanceInstance from which to read the lookup fromdev
lookup_nameName of the lookup that should be read from Cribl Streammodel_relative_entropy_top_domains.csv

Examples

Reading a .csv lookup from Cribl Stream

Run the following SPL search to read a lookup from Cribl Stream and save it to a lookup in Splunk: