![]() ![]() For any entries that match, the value of the group field in the lookup table is written to the field user_group in the event. For each event, the following search checks to see if the value in the field local_user has a corresponding value in the user field in the lookup table. Your events contain a field called local_user. This lookup table contains (at least) two fields, user and group. Suppose you have a lookup table specified in a stanza named usertogroup in the nf file. ![]() Lookup users and return the corresponding group the user belongs to See Custom knowledge object coordination for standard mode federated providers in the Search Manual.įor an overview of federated search and federated search terminology, see About federated search in the Search Manual.īasic example 1. For example, if you are running a federated search which performs a CSV file lookup across your deployment and two remote standard mode federated providers, the CSV file and the CSV lookup definition on your local federated search head must be duplicated on the remote search heads of the standard mode federated providers. If you are running federated searches over standard mode federated providers, it is also important that the related lookup knowledge objects are duplicated on the local and remote sides of the search. This setting prevents the federated lookup search from being processed on the remote search heads of the federated providers, which causes the federated search to return incorrect results. If you use lookup in federated searches, do not set local=true. The lookup in the first search is faster because it only needs to match the results of the stats command and not all the Web access events. Sourcetype=access_* | lookup status_desc status OUTPUT description | stats count by description Sourcetype=access_* | stats count by status | lookup status_desc status OUTPUT description If you are using the lookup command in the same pipeline as a transforming command, and it is possible to retain the field you will lookup on after the transforming command, do the lookup after the transforming command. You can accidentally create a lookup reference cycle when you fail to specify an OUTPUT or OUTPUTNEW clause for lookup.įor more information about lookup reference cycles see Define an automatic lookup in Splunk Web in the Knowledge Manager Manual. When you set up the OUTPUT or OUTPUTNEW clause for your lookup, avoid accidentally creating lookup reference cycles, where you intentionally or accidentally reuse the same field names among the match fields and the output fields of a lookup search.įor example, if you run a lookup search where type is both the match field and the output field, you are creating a lookup reference cycle. If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist. If the OUTPUT clause is specified, the output lookup fields overwrite existing fields. ![]() When using the lookup command, if an OUTPUT or OUTPUTNEW clause is not specified, all of the fields in the lookup table that are not the match fields are used as output fields. The lookup command is a distributable streaming command when local=false, which is the default setting. Syntax: Description: A field in the events. Syntax: Description: Refers to a field in the lookup table to be copied into the events. Syntax: Description: Refers to a field in the events from which to acquire the value to match in the lookup table. Default: false Syntax: Description: Refers to a field in the lookup table to match against the events. This does not apply to searches that are not real-time searches. Default: false update Syntax: update= Description: If the lookup table is modified on disk while the search is running, real-time searches do not automatically reflect the update. Optional arguments local Syntax: local= Description: If local=true, forces the lookup to run on the search head and not on any remote peers. | lookup AS, AS OUTPUTNEW AS, AS Required arguments Syntax: Description: Can be either the name of a CSV file that you want to use as the lookup, or the name of a stanza in the nf file that specifies the location of the lookup table file. Note: The lookup command can accept multiple lookup and event fields and destfields. The lookup command supports IPv4 and IPv6 addresses and subnets that use CIDR notation. Use the lookup command to invoke field value lookups.įor information about the types of lookups you can define, see About lookups in the Knowledge Manager Manual. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |