https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341083#M101129 <P>Very kind @mayurr98 - thanks.</P> Mon, 12 Mar 2018 00:33:45 GMT ddrillic 2018-03-12T00:33:45Z https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341078#M101124 <P>How can we perform a lookup substitution at index time? We have a defined lookup and at index time we would like to replace certain values with the values in the lookup table.</P> Wed, 07 Mar 2018 23:36:56 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341078#M101124 ddrillic 2018-03-07T23:36:56Z https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341079#M101125 <P>Hi, by specifying <CODE>OUTPUT</CODE> as part of your lookup command, it will overwrite fields in your results with the value from the lookup if the fields match. e.g:</P> <PRE><CODE>sourcetype=access_* | stats count by status | lookup status_desc status OUTPUT description </CODE></PRE> <P>In this example, any previous <CODE>description</CODE> field will be overwritten.</P> <P>However, if the field in your event is called <CODE>myDescription</CODE> then you would use:</P> <PRE><CODE>sourcetype=access_* | stats count by status | lookup status_desc status OUTPUT description AS myDescription </CODE></PRE> <P>I hope this helps.</P> Wed, 07 Mar 2018 23:42:28 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341079#M101125 livehybrid 2018-03-07T23:42:28Z https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341080#M101126 <P>Great, but we would like to do it at index time ; -)</P> Wed, 07 Mar 2018 23:44:21 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341080#M101126 ddrillic 2018-03-07T23:44:21Z https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341081#M101127 <P>Whoops - Should have read more carefully! Sorry but that is a bit trickier. Its not possible to do a traditional lookup. You're best bet would probably be a time-based lookup so your lookup at searchtime is accurate to the time the data was indexed...it depends on your specific case.<BR /> Sorry I couldnt help further!</P> Wed, 07 Mar 2018 23:51:00 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341081#M101127 livehybrid 2018-03-07T23:51:00Z https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341082#M101128 <P>hello @ddrillic</P> <P>You probably may have found out by now but just in case .. Lookups cannot be done at index time but only at search time.<BR /> Refer this answers that I just found out<BR /> <A href="https://answers.splunk.com/answers/8087/kicking-off-lookup-at-index-time.html">https://answers.splunk.com/answers/8087/kicking-off-lookup-at-index-time.html</A><BR /> <A href="https://answers.splunk.com/answers/13723/large-table-lookup-at-index-time-vs-search-time-tradeoffs.html">https://answers.splunk.com/answers/13723/large-table-lookup-at-index-time-vs-search-time-tradeoffs.html</A></P> <P>Well, you can configure <A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/DefineanautomaticlookupinSplunkWeb">automatic lookups</A>.<BR /> let me know if this helps!</P> Thu, 08 Mar 2018 07:58:26 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341082#M101128 mayurr98 2018-03-08T07:58:26Z https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341083#M101129 <P>Very kind @mayurr98 - thanks.</P> Mon, 12 Mar 2018 00:33:45 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/341083#M101129 ddrillic 2018-03-12T00:33:45Z https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/549370#M155874 <P>I was looking to do the same thing, and noticed this doc page was created for 8.1.x.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/IngestLookups" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/IngestLookups</A></P><P>Maybe something to look at?</P> Mon, 26 Apr 2021 19:59:43 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-perform-a-lookup-substitution-at-index-time/m-p/549370#M155874 ejwade 2021-04-26T19:59:43Z