lookup command usage

If an OUTPUT or OUTPUTNEW clause is not specified, all of the fields in the lookup table that are not the match field are used as output fields.

If the OUTPUT clause is specified, the output lookup fields overwrite existing fields with the same name.

If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist.

Optimization

Whenever possible, perform lookups after transforming commands like stats and timechart.

A transforming command acts like a filter. Running the transforming command before the lookup can minimize the work that the lookup command must do, if the field needed for the lookup is retained by the transforming command.

Here's an example of an optimized search. The transforming command stats is before the lookup command. The stats command retains the status field, which is the field needed for the lookup.

from <dataset> where sourcetype=access_* | stats count() by status | lookup status_desc status OUTPUT description

Here's the same search, but it is not optimized. The lookup is before the transforming command stats. In this example the stats command does not retain the status field needed for the lookup. The stats command includes the description field. There is no optimization advantage to running the stats command before the lookup.

from <dataset> where sourcetype=access_* | lookup status_desc status OUTPUT description | stats count() by description

The lookup in the first search is faster because it only needs to match the results of the stats command and not all the Web access events.

Differences between SPL and SPL2

The command options have been removed

The command options local and update are not supported in SPL2.

The list of lookup fields must be comma-delimited

The list of output fields must be comma-delimited

See also

lookup command

lookup command overview

lookup command syntax usage

lookup command examples