Lookup Command

Use the lookup command to invoke field value lookups.

Syntax

lookup table=<lookupTable>[<lookup_options>] select <outputFields> using <inputFields>

Parameters

The following table lists the parameters used in this command, along with their description.

Parameter	Description
`outputFields`	Syntax: `<lookup_field> [as <log_field>] [,<lookup_field> [as <log_field>] ]*` List of one or more fields in the lookup table that should be copied to the matching log field(s), indexed or virtual.
`lookupTable`	Name of the lookup table.
`lookup options`	Syntax: `[maxmatches= <value>] [default=<value>]` `maxmatches`: The maximum number of possible matches to be returned for a given lookup key. The first `n` matches, in file order, are returned. Valid values: 1-1000, inclusive. Default value is 1. `default`: The default value to be used for all output fields should a match not be found for a given lookup key. By default, this is null.
`inputFields`	Syntax: `<log_field> [= <lookup_field>] [,<log_field> [= <lookup_field>] ]*` List of one or more fields in the lookup table to match against the logs. The log field name, indexed or virtual, must be specified if different than the lookup's field name.

For examples of using this command in typical scenarios, see:

Use Dictionary Lookup in Cluster in Using Oracle Log Analytics
Use Dictionary Lookup in Link in Using Oracle Log Analytics

The following example shows how to annotate log records that contain ORA error code with the error’s description and severity when the lookup fields are the names of existing indexed fields.

* | lookup table=OraErrorCodes select description as errtxt, severity as sevlvl using 'Error Id'=error_id

The following example shows how to add user group information listing no more than 5 groups.

* | lookup table=UserGroups maxmatches=5 select group using usrid

The following example shows how to annotate log records with the information from multiple lookups.

* | lookup table=DnsLookup select client_host using client_ip | lookup table=AccountLookup select acct_region using acct_id

The following example shows how to perform two lookups using the same lookup table, but each lookup is done using different fields.

* | lookup table=MyLookup select B using A | lookup table=MyLookup select D using C

The following example shows how to look up a value in one lookup table and then use a returned field value to do a lookup using a second lookup table.

* | lookup table=FirstLookup select Y using X | lookup table=SecondLookup select Z using Y