Similar to cluster, you can use a lookup command to annotate the Link results.

Consider the Link results for OCI API Gateway Access Logs. To use the dictionary lookup to provide names for different pages:

1. Create a CSV file with the following contents:

   Operator,Condition,Name
   CONTAINS,login,Login Page
   CONTAINS,index,Home Page
   CONTAINS ONE OF REGEXES,"[\.sh$,\.jar$]",Script Access

   Import this as a Dictionary type lookup using the name Page Access Types. This lookup contains one field, Name that can be returned from each matching row. See Create a Dictionary Lookup.

2. Use the dictionary in link:

   Add a lookup command after link, as follows:

   'Log Source' = 'OCI API Gateway Access Logs' 
   | link 'OPC Request ID' 
   | stats unique(URI) as URI 
   | lookup table = 'Page Access Types' select Name using URI

   The value of URI field for each row is evaluated against the rules defined in the Page Access Types dictionary. The Name field is returned from each matching row.

   The Name field contains the value from the dictionary. There can be more than one value for the Name field, if the URI matches against multiple fields.

3. Analyze Link data using the dictionary fields:

   The Name field can now be used like any other field in Link. For example, the following query filters by valid values for Name and analyzes the results against the HTTP Status in the response:

   'Log Source' = 'OCI API Gateway Access Logs'
   | link 'OPC Request ID'
   | stats unique(URI) as URI, unique(Status) as Status
   | lookup table = 'Page Access Types' select Name using URI
   | where Name != null 
   | classify Status, Name as 'Page Analysis'

   This query produces the analytical chart showing the distribution of HTTP Status for various pages. The resulting bubble chart has the pages like "Login Page, Home Page", "Home Page, Script Access", Home Page, Login Page, and Script Access plotted along Y-axis, and the HTTP status along Y-axis.