outputlookup
Description
Writes the search result to a table (or file) with the ability to update or append data. Supports parameter configuration for managing the writing and updating process.
Syntax
...| outputlookup <lookup-name> [append=<bool>] [keyfield=<string>] [packsize=<int>] [nores=<bool>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
lookup-name | <field> | The name of the predefined lookup. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
append | append=<bool> | false | true — appends to existing data, false — overwrites existing data. |
keyfield | keyfield=<string> | The field used to match records between the lookup table and the source data. Only documents with matching values in this field will be updated. | |
packsize | packsize=<int> | 100 | Defines how many records are updated simultaneously in the table. Works only in combination with keyfield. Used to manage load for large updates. |
nores | nores=<boolean> | false | When set to true, clears the search results after writing to the lookup table. |
Query Examples
Example #1
source radius_logs
| outputlookup my_lookup
Example #2
source internal_audit*
| aggs count, latest(audit_category) as audit_category by audit_node_host_address
| outputlookup hosts_categories keyfield=audit_node_host_address packsize=200 nores=true