Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF



Writes search results to the specified static lookup table.


outputlookup [append=<bool>] [create_empty=<bool>] [max=<int>] [createinapp=<bool>] (<filename> | <tablename>)

Required arguments

Syntax: <string>
Description: The name of the lookup file (must end with .csv or .csv.gz).
Syntax: <string>
Description: The name of the lookup table as specified by a stanza name in transforms.conf.

Optional arguments

Syntax: append=<bool>
Description: If 'append' is true, we will attempt to append to an existing csv file if it exists or create a file if necessary. If there is an existing file that has a csv header already, we will only emit the fields that are referenced by that header. .gz files cannot be append to. Defaults to false.
Syntax: max=<int>
Description: The number of rows to output.
Syntax: create_empty=<bool>
Descriptopn: If set to true and there are no results, creates a 0-length file. When false, no file is created and the files is deleted if it previously existed. Defaults to true.
Syntax: createinapp=<bool>
Description: If set to false or if there is no current application context, then create the file in the system lookups directory.


Saves results to a lookup table as specified by a filename (must end with .csv or .gz) or a table name (as specified by a stanza name in transforms.conf). If the lookup file does not exist, Splunk creates the file in the lookups directory of the current application. If the lookup file already exists, Splunk overwrites that files with the results of outputlookup. If the 'createinapp' option is set to false or if there is no current application context, then Splunk creates the file in the system lookups directory.


Example 1: Write to "usertogroup" lookup table (as specified in transforms.conf).

| outputlookup usertogroup

Example 2: Write to "users.csv" lookup file (under $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups).

| outputlookup users.csv

See also

inputlookup, lookup, outputcsv


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the outputlookup command.

Last modified on 13 August, 2014

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters