outputlookup

Description

Writes search results to a static lookup table or KV store collection that you specify.

Syntax

| outputlookup [append=<bool>] [create_empty=<bool>] [max=<int>] [key_field=<field_name>] [createinapp=<bool>] (<filename> | <tablename>)

Required arguments

<filename>

Syntax: <string>

Description: The name of the lookup file. The file must end with .csv or .csv.gz.

<tablename>

Syntax: <string>

Description: The name of the lookup table as specified by a stanza name in transforms.conf. The lookup table can be configured for any lookup type (CSV, external, or KV store).

Optional arguments

append

Syntax: append=<bool>

Description: If set to true, outputlookup attempts to append search results to an existing .csv file or KV store collection. Otherwise it creates a file. If there is an existing .csv file outputlookup only writes the fields that are present in the previously existing .csv file. An outputlookup search run with append=true may result in a situation where the lookup table or collection is only partially updated at some times. This means that a subsequent lookup or inputlookup search on that collection may return stale data along with new data. outputlookup cannot append to .gz files.

Default: false

create_empty

Syntax: create_empty=<bool>

Description: If set to true and there are no results, creates a 0-length file. When set to false, no file is created. If the file previously existed, the file is deleted.

Default: true

createinapp

Syntax: createinapp=<bool>

Description: If set to false or if there is no current application context, then create the file in the system lookups directory.

Default: true

key_field

Syntax: key_field=<field_name>

Description: For KV store-based lookups, uses the specified field name as the key to a value and replaces that value. An outputlookup search using the key_field argument might result in a situation where the lookup table or collection is only partially updated. A subsequent lookup or inputlookup search on that collection might return stale data along with new data. A partial update only occurs with concurrent searches, one with the outputlookup command and a search with the inputlookup command. It is possible that the inputlookup occurs when the outputlookup is still updating some of the records.

max

Syntax: max=<int>

Description: The number of rows to output.

Default: no limit

Usage

The lookup table must be a CSV or GZ file, or a table name specified with a lookup table configuration in transforms.conf. The lookup table can refer to a KV store collection or a CSV lookup. The outputlookup command cannot be used with external lookups.

For CSV-based lookups, if the lookup file does not exist, it is created in the lookups directory of the current application. If the lookup file already exists, it is overwritten with the results of the outputlookup command. If the createinapp option is set to false or if there is no current application context, then the file is created in the system lookups directory.

For more information about lookup table configuration, see "Configure CSV and external lookups" and "Configure KV store lookups" in the Knowledge Manager Manual.

For more information about App Key Value Store collections, see "About KV store" in the Admin Manual.

Multivalued fields

When you output to a static lookup table, the outputlookup command merges values in a multivalued field into single space-delimited value. This does not apply to a KV store collection.

Examples

Example 1: Write to usertogroup lookup table as specified in transforms.conf.

| outputlookup usertogroup

Example 2: Write to users.csv lookup file under $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups.

| outputlookup users.csv

Example 3: Write food inspection events for Shalimar Restaurant to a KV store collection called kvstorecoll. This collection is referenced in a lookup table called kvstorecoll_lookup.

index=sf_food_health sourcetype=sf_food_inspections name="SHALIMAR RESTAURANT" | outputlookup kvstorecoll_lookup

Example 4: Write the contents of a CSV file to the KV store collection kvstorecoll using the lookup table kvstorecoll_lookup. This requires usage of both inputlookup and outputlookup.

| inputlookup customers.csv | outputlookup kvstorecoll_lookup

Example 5: Update field values for a single KV store collection record. This requires usage of inputlookup, outputlookup, and eval. The record is indicated by the value of its internal key ID (the _key field) and is updated with a new customer name and customer city. The record belongs to the KV store collection kvstorecoll, which is accessed through the lookup table kvstorecoll_lookup.

| inputlookup kvstorecoll_lookup | search _key=544948df3ec32d7a4c1d9755 | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup kvstorecoll_lookup append=True key_field=_key

To learn how to obtain the internal key ID values of the records in a KV store collection, see Example 5 for the inputlookup command.

See also

inputlookup, lookup, inputcsv, outputcsv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the outputlookup command.