lookup
Use the lookup command to invoke field value lookups.
Syntax
lookup table=<lookupTable>[<lookup_options>] select <outputFields> using <inputFields>Parameters
The following table lists the parameters used in this command, along with their description.
| Parameter | Description |
|---|---|
outputFields |
Syntax: List of one or more fields in the lookup table that should be copied to the matching log field(s), indexed or virtual. |
lookupTable |
Name of the lookup table. |
lookup options |
Syntax:
|
inputFields |
Syntax: List of one or more fields in the lookup table to match against the logs. The log field name, indexed or virtual, must be specified if different than the lookup's field name. |
For examples of using this command in typical scenarios, see:
The following example shows how to annotate log records that contain ORA error code with the error’s description and severity when the lookup fields are the names of existing indexed fields.
* | lookup table=OraErrorCodes select description as errtxt, severity as sevlvl using 'Error Id'=error_idThe following example shows how to add user group information listing no more than 5 groups.
* | lookup table=UserGroups maxmatches=5 select group using usridThe following example shows how to annotate log records with the information from multiple lookups.
* | lookup table=DnsLookup select client_host using client_ip | lookup table=AccountLookup select acct_region using acct_idThe following example shows how to perform two lookups using the same lookup table, but each lookup is done using different fields.
* | lookup table=MyLookup select B using A | lookup table=MyLookup select D using CThe following example shows how to look up a value in one lookup table and then use a returned field value to do a lookup using a second lookup table.
* | lookup table=FirstLookup select Y using X | lookup table=SecondLookup select Z using Y