inputlookup
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
inputlookup
Synopsis
Loads search results from a specified static lookup table.
Syntax
inputlookup [append=bool] [start=int] [max=int] (<filename>|<tablename>)
Arguments
- append
- Syntax: append=<bool>
- Description: If set to true (default is false), the data from the lookup file is appended to the current set of results rather than replacing it.
- start
- Syntax: start=<int>
- Description:
- max
- Syntax max=<int>
- Description:
- <filename>
- Syntax: <string>
- Description: The name of the lookup file (must end with .csv or .csv.gz).
- <tablename>
- Syntax: <string>
- Description: The name of the lookup table as specified by a stanza name in transforms.conf.
Description
Reads in lookup table as specified by a filename (must end with .csv or .csv.gz) or a table name (as specified by a stanza name in transforms.conf). If 'append' is set to true (false by default), the data from the lookup file is appended to the current set of results rathering than replacing it.
Examples
Example 1: Read in "usertogroup" lookup table (as specified in transforms.conf).
| inputlookup usertogroupExample 2: Same as example2 except that the data from the lookup table is appended to any current results.
| inputlookup append=t usertogroupExample 3: Read in "users.csv" lookup file (under $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups).
| inputlookup users.csvSee also
inputcsv, join, lookup, outputlookup,
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.