Splunk® Cloud Services

SPL2 Search Reference

lookup command syntax details

Syntax

The required syntax is in bold.

lookup <lookup-dataset> (<lookup-field> [AS <event-field>] )...
[ (OUTPUT | OUTPUTNEW) ( <lookup-destfield> [AS <event-destfield>] )...]

The AS keyword is displayed in uppercase in the syntax and examples to make the syntax easier to read. You can specify this keyword in uppercase or lowercase.

Required arguments

lookup-dataset
Syntax: <string>
Description: The name of the lookup table that is defined as a dataset in the Metadata Catalog.
lookup-field
Syntax: <string>
Description: A field in the lookup dataset to match against the search results. You can specify multiple <lookup-field> values.

Optional arguments

event-field
Syntax: AS <string>
Description: A field in the incoming search results to match with a field in the <lookup-dataset>. You don't need to specify the <event-field> if the name of the <event-field> is the same as the name of the <lookup-field>. You can specify multiple <event-field> values.
Default: The name specified in the <lookup-field> argument.
OUTPUT | OUTPUTNEW
Syntax: OUTPUT | OUTPUTNEW
Description: Specifies whether to replace or append values from the lookup dataset to the search results. OUTPUT replaces values in existing search results fields with values from the lookup dataset. Where there is no value in a field, OUTPUT adds values from the lookup dataset to the search results fields. OUTPUTNEW appends fields and values from the lookup dataset to the search results. If the search results already have the fields specified in <lookup-field>, the OUTPUTNEW argument only fills in missing values in those fields. OUTPUT and OUTPUTNEW must be specified in uppercase.
Default: OUTPUT
lookup-destfield
Syntax: <string>
Description: A field in the lookup table to be applied to the search results. You can specify multiple <lookup-destfield> values. Used with OUTPUT | OUTPUTNEW to replace or append field values.
Default: All fields are applied to the search results if no fields are specified.
event-destfield
Syntax: AS <string>
Description: A field in the search results. You can specify multiple <event-destfield> values. If the name of the <event-destfield> is the same as the <lookup-destfield>, you don't need to specify the <event-destfield>. The name of the <lookup-destfield> is used. Used with OUTPUT | OUTPUTNEW to replace or append field values.
Default: The value of <lookup-destfield>.

See also

lookup command
lookup command overview
lookup command usage
lookup command examples
Last modified on 06 October, 2021
lookup command overview   lookup command usage

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters