outputlookup
Description
Writes the search result to a table (or file).
Syntax
...| outputlookup <lookup-name> [append=<bool>] [key_field=<bool>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
lookup-name | <field> | The name of the predefined lookup. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
append | append=<bool> | false | true — appends to existing data, false — overwrites existing data. |
key_field | key_field=<string> | The field used to match records between the lookup table and the source data. Only documents with matching values in this field will be updated. |
Query Examples
Example №1
source radius_logs
| outputlookup my_lookup
Example №2
source internal_audit*
| aggs count, latest(audit_category) as audit_category by audit_node_host_address
| outputlookup hosts_categories keyfield=audit_node_host_address packsize=200 nores=true