lookup

lookup

Synopsis

Explicitly invokes field value lookups.

Syntax

lookup [local=<bool>] <lookup-table-name> ( <lookup-field> [AS <local-field>] )+ ( OUTPUT ( <lookup-destfield> [AS <local-destfield>] )+ )

Arguments

local

Syntax: local=<bool>

Description: If the 'local' option is set to true, it will ensure that the lookup is only done locally and not on any remote peers.

<local-destfield>

Syntax: <string>

Description: Refers to the field in the local event, defaults to the value of <lookup-destfield>.

<local-field>

Syntax: <string>

Description: Refers to the field in the local event, defaults to the value of <lookup-field>.

<lookup-destfield>

Syntax: <string>

Description: Refers to a field in the lookup table to be copied to the local event.

<lookup-field>

Syntax: <string>

Description: Refers to a field in the lookup table to match to the local event.

<lookup-table-name>

Syntax: <string>

Description: Refers to a stanza name in transforms.conf.

Description

Manually invoke field value lookups. If no OUTPUT clause is specified, all fields in the lookup table that are not specified as a lookup will be used as output fields. If the 'local' option is set to true, it will ensure that the lookup is only done locally and not on any remote peers.

Examples

Example 1: There is a lookup table specified in a stanza name 'usertogroup' in transform.conf. This lookup table contains (at least) two fields, 'user' and 'group'. For each event, we look up the value of the field 'local_user' in the table and for any entries that matches, the value of the 'group' field in the lookup table will be written to the field 'user_group' in the event.

See also

appendcols, inputlookup, outputlookup

• Was this topic useful?
• Post a comment