Versions Compared

Old Version 24

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
stylenone
typeflat
printabletrue

...

This operation returns the values of a given lookup field upon successful key matching.

Info

Existing lookups required

To perform this operation, it is necessary to have existing lookups ready for use (visit this article to get help uploading lookups and this article to get help creating query lookups).

How does it work in the search window?

...

Existing lookups required

To perform these operations, it is necessary to have existing lookups ready for use (visit this article to get help uploading lookups and this article to get help creating query lookups).

Argument

Description

Data type

Lookup name mandatory

Choose the lookup you want to use to enrich your table.

string

Lookup field mandatory

Choose the lookup field you want to use to enrich your table.

string

Key mandatory

Choose the table field you want to use to find matches with the lookup key field.

same as lookup key field

Info

Once you specify the adequate arguments and click the Create field button, the new field is added to your table.

...

  • select lu("Lookup_name", "Lookup_field", Key_field) as new_field

Info

Existing lookups required

To perform these operations, it is necessary to have existing lookups ready for use (visit this article to get help uploading lookups and this article to get help creating query lookups).

Syntax considerations

  • Status
    title"lookup_name"
    → This must be the name of lookup that contains the data you want to use to enrich your data.

  • Status
    colourPurple
    title"lookup_field"
    → This must be the lookup field you want to use to enrich your data, which must not be the same as the lookup key field.

  • Status
    colourBlue
    titlekey_field
    → This must be the table field that will be used to correlate find matches with the lookup key. The name can be different than the lookup key field as long as the data type coincide and the values it contains are potential matches (username-user). The absence of matches will return null and a different data type will return an error when running the query.

Example

We want to enrich the siem.logtrust.web.activity table with information about the working model in each city. If we want to work more comfortably, we can isolate the data we’re interested in by using filter and grouping operations. Then, we will After performing the operations you need to manipulate your data, such as filtering and grouping operations, you can use the Lookup (lu) operation with this upload lookup that contains info about company officesto enrich your data with the following upload lookup:

  • View file
    nameLookups (Companies example).csv
    .

These are the arguments needed when using the interface :

...

The values in the Office_type lookup field will be brought into our your table when the values in the city field and those in the lookup key field fields match. When they do not match, null will be returned.

...