The lookup in the first search is faster because it only needs to match the results of the stats command and not all the Web access events. Sourcetype=access_* | lookup status_desc status OUTPUT description | stats count by description Sourcetype=access_* | stats count by status | lookup status_desc status OUTPUT description If you are using the lookup command in the same pipeline as a transforming command, and it is possible to retain the field you will lookup on after the transforming command, do the lookup after the transforming command. You can accidentally create a lookup reference cycle when you fail to specify an OUTPUT or OUTPUTNEW clause for lookup.įor more information about lookup reference cycles see Define an automatic lookup in Splunk Web in the Knowledge Manager Manual. When you set up the OUTPUT or OUTPUTNEW clause for your lookup, avoid accidentally creating lookup reference cycles, where you intentionally or accidentally reuse the same field names among the match fields and the output fields of a lookup search.įor example, if you run a lookup search where type is both the match field and the output field, you are creating a lookup reference cycle. If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist. If the OUTPUT clause is specified, the output lookup fields overwrite existing fields. When using the lookup command, if an OUTPUT or OUTPUTNEW clause is not specified, all of the fields in the lookup table that are not the match fields are used as output fields. The lookup command is a distributable streaming command when local=false, which is the default setting. Syntax: Description: A field in the events. Syntax: Description: Refers to a field in the lookup table to be copied into the events. Syntax: Description: Refers to a field in the events from which to acquire the value to match in the lookup table. Default: false Syntax: Description: Refers to a field in the lookup table to match against the events. This does not apply to searches that are not real-time searches. Default: false update Syntax: update= Description: If the lookup table is modified on disk while the search is running, real-time searches do not automatically reflect the update. Optional arguments local Syntax: local= Description: If local=true, forces the lookup to run on the search head and not on any remote peers. | lookup AS, AS OUTPUTNEW AS, AS Required arguments Syntax: Description: Can be either the name of a CSV file that you want to use as the lookup, or the name of a stanza in the nf file that specifies the location of the lookup table file. Note: The lookup command can accept multiple lookup and event fields and destfields. The lookup command supports IPv4 and IPv6 addresses and subnets that use CIDR notation. Use the lookup command to invoke field value lookups.įor information about the types of lookups you can define, see About lookups in the Knowledge Manager Manual.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |