Documentation > Splunk > Search Reference > lookup

Search Reference

 


Introduction
Search Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Search in the CLI

lookup

Contents

lookup

Use the lookup command to manually invoke field lookups from a lookup table that you've defined in transforms.conf. For more information, see "Lookup fields from external data sources," in the Knowledge Manager manual.


Synopsis

Explicitly invokes field value lookups.

Syntax

lookup [local=<bool>] [update=<bool>] <lookup-table-name> ( <lookup-field> [AS <local-field>] )+ ( OUTPUT ( <lookup-destfield> [AS <local-destfield>] )+ )

Required arguments

<lookup-table-name>
Syntax: <string>
Description: Refers to a stanza name in transforms.conf.

Optional arguments

local
Syntax: local=<bool>
Description: If the 'local' option is set to true, it will ensure that the lookup is only done locally and not on any remote peers.
update
Syntax: update=<bool>
Description: If the lookup table is updated on disk while the search is running, realtime searches will reflect the update while non-realtime search will not. The 'update' option can override this default behavior.
<local-destfield>
Syntax: <string>
Description: Refers to the field in the local event, defaults to the value of <lookup-destfield>.
<local-field>
Syntax: <string>
Description: Refers to the field in the local event, defaults to the value of <lookup-field>.
<lookup-destfield>
Syntax: <string>
Description: Refers to a field in the lookup table to be copied to the local event.
<lookup-field>
Syntax: <string>
Description: Refers to a field in the lookup table to match to the local event.

Description

Use the lookup command to invoke field value lookups manually. If no OUTPUT clause is specified, all fields in the lookup table that are not specified as a lookup will be used as output fields. If the 'local' option is set to true, it will ensure that the lookup is only done locally and not on any remote peers.

Examples

Example 1: There is a lookup table specified in a stanza name 'usertogroup' in transform.conf. This lookup table contains (at least) two fields, 'user' and 'group'. For each event, we look up the value of the field 'local_user' in the table and for any entries that matches, the value of the 'group' field in the lookup table will be written to the field 'user_group' in the event.

... | lookup usertogroup user as local_user OUTPUT group as user_group

Optimizing your lookup search

If you're using the lookup command in the same pipeline as a reporting command, do the lookup after the reporting command. For example, run: 

sourcetype=access_* | stats count by status | lookup status_desc status OUTPUT description

instead of: 

sourcetype=access_* | lookup status_desc status OUTPUT description | stats count by description

The lookup in the first search is faster because it only needs to match the results of the stats command and not all the Web access events.

See also

appendcols, inputlookup, outputlookup

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the lookup command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Lookup"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.