lookup command usage
If an OUTPUT or OUTPUTNEW clause is not specified, all of the fields in the lookup table that are not the match field are used as output fields.
If the OUTPUT clause is specified, the output lookup fields overwrite existing fields with the same name.
If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist.
Whenever possible, perform lookups after transforming commands like
A transforming command acts like a filter. Running the transforming command before the lookup can minimize the work that the
lookup command must do, if the field needed for the lookup is retained by the transforming command.
Here's an example of an optimized search. The transforming command
stats is before the
lookup command. The
stats command retains the
status field, which is the field needed for the lookup.
from <dataset> where sourcetype=access_* | stats count() by status | lookup status_desc status OUTPUT description
Here's the same search, but it is not optimized. The
lookup is before the transforming command
stats. In this example the
stats command does not retain the
status field needed for the lookup. The
stats command includes the
description field. There is no optimization advantage to running the
stats command before the lookup.
from <dataset> where sourcetype=access_* | lookup status_desc status OUTPUT description | stats count() by description
The lookup in the first search is faster because it only needs to match the results of the
stats command and not all the Web access events.
Differences between SPL and SPL2
The command options have been removed
The command options
update are not supported in SPL2.
|... lookup [local=<bool>] update=<bool> <lookup-dataset>...
The list of lookup fields must be comma-delimited
|... lookup lookupDataset key1 AS field1 key2 AS field2
|... lookup lookupDataset key1 AS field1, key2 AS field2
The list of output fields must be comma-delimited
|... lookup lookupDataset key1 AS field1 OUTPUT out1 AS event1 out2 AS event2
|... lookup lookupDataset key1 AS field1 OUTPUT out1 AS event1, out2 AS event2
lookup command syntax details
lookup command examples
This documentation applies to the following versions of Splunk® Cloud Services: current