outputlookup
Description
Writes the search result to a table (or file) with the ability to update or append data. Supports parameter configuration for managing the writing and updating process.
Syntax
...| outputlookup <lookup-name> [append=<boolean>] [keyfield=<field>] [packsize=<int>] [nores=<boolean>] [system=<boolean>]
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
lookup-name | <lookup-name> | The name of the predefined lookup. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
append | append=<boolean> | false | true — appends to existing data, false — overwrites existing data. |
keyfield | keyfield=<field> | The field used to match records between the lookup table and the source data. Only documents with matching values in this field will be updated. | |
packsize | packsize=<int> | 100 | Defines how many records are updated simultaneously in the table. Works only in combination with keyfield. Used to manage load for large updates. |
nores | nores=<boolean> | false | When set to true, clears the search results after writing to the lookup table. |
system | system=<boolean> | false | When true, performs a system lookup; otherwise performs a user lookup. |
Examples
Example 1
In the minimal version, the command writes all found results from source radius_logs to the lookup table my_lookup.
source radius_logs
| outputlookup my_lookup
Example 2
In this example, keyfield=audit_node_host_address sets the matching field, packsize=200 limits the update batch size, and nores=true does not return search results after writing.
source internal_audit*
| aggs count, latest(audit_category) as audit_category by audit_node_host_address
| outputlookup hosts_categories keyfield=audit_node_host_address packsize=200 nores=true