Splunk® Cloud Services

SPL2 Search Reference

lookup command usage

If an OUTPUT or OUTPUTNEW clause is not specified, all of the fields in the lookup table that are not the match field are used as output fields.

If the OUTPUT clause is specified, the output lookup fields overwrite existing fields with the same name.

If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist.

Optimization

Whenever possible, perform lookups after transforming commands like stats and timechart.

A transforming command acts like a filter. Running the transforming command before the lookup can minimize the work that the lookup command must do, if the field needed for the lookup is retained by the transforming command.

Here's an example of an optimized search. The transforming command stats is before the lookup command. The stats command retains the status field, which is the field needed for the lookup.

from <dataset> where sourcetype=access_* | stats count() by status | lookup status_desc status OUTPUT description

Here's the same search, but it is not optimized. The lookup is before the transforming command stats. In this example the stats command does not retain the status field needed for the lookup. The stats command includes the description field. There is no optimization advantage to running the stats command before the lookup.

from <dataset> where sourcetype=access_* | lookup status_desc status OUTPUT description | stats count() by description

The lookup in the first search is faster because it only needs to match the results of the stats command and not all the Web access events.

Differences between SPL and SPL2

The command options have been removed

The command options local and update are not supported in SPL2.

Version Example
SPL ... lookup [local=<bool>] update=<bool> <lookup-dataset>...
SPL2 Not supported

The list of lookup fields must be comma-delimited

Version Example
SPL ... lookup lookupDataset key1 AS field1 key2 AS field2
SPL2 ... lookup lookupDataset key1 AS field1, key2 AS field2

The list of output fields must be comma-delimited

Version Example
SPL ... lookup lookupDataset key1 AS field1 OUTPUT out1 AS event1 out2 AS event2
SPL2 ... lookup lookupDataset key1 AS field1 OUTPUT out1 AS event1, out2 AS event2

See also

lookup command
lookup command overview
lookup command syntax usage
lookup command examples
Last modified on 20 October, 2020
lookup command syntax details   lookup command examples

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters