inputlookup
Description
Retrieves data from the reference database.
Syntax
| inputlookup <lookup-name> [max=<int>] [system=<boolean>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
lookup-name | <lookup-name> | Name of the predefined lookup. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
max | max=<int> | Integer.MAX (2147483647) | Maximum number of events to fetch. |
system | system=<boolean> | false | When set to true, a system lookup is requested; otherwise, a user lookup is performed. |
Examples
Example 1
In this example, the command reads data from the system lookup table my_lookup.
| inputlookup my_lookup system=true
Example 2
In this example, the parameter max=2 limits the number of returned rows to two records.
| inputlookup my_lookup max=2
Example 3
In this example, the lookup table contents are first loaded via inputlookup, then aggregated by the aggs command.
| inputlookup my_lookup | aggs count(geo_ip) as ip