outputlookup
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
outputlookup
Synopsis
Save search results to specified static lookup table.
Syntax
outputlookup [max=int] [createinapp=bool] (<filename>|<tablename>)
Arguments
- max
- Syntax: max=<int>
- Description: The number of rows to output.
- createinapp
- Syntax: createinapp=<bool>
- Description: If set to false or if there is no current application context, then create the file in the system lookups directory.
- <filename>
- Syntax: <string>
- Description: The name of the lookup file (must end with .csv or .csv.gz).
- <tablename>
- Syntax: <string>
- Description: The name of the lookup table as specified by a stanza name in transforms.conf.
Description
Saves results to a lookup table as specified by a filename (must end with .csv or .gz) or a table name (as specified by a stanza name in transforms.conf). If the lookup file does not exist, we will by default create the file in the lookups directory of the current application. If the 'createinapp' option is set to false or if there is no current application context, then we will create the file in the system lookups directory.
Examples
Example 1: Write to "usertogroup" lookup table (as specified in transforms.conf).
| outputlookup usertogroupExample 2: Write to "users.csv" lookup file (under $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups).
| outputlookup users.csvSee also
inputlookup, lookup, outputcsv, outputlookup
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.