Document toolboxDocument toolbox

lookupOperator

Join two tables (left, right) basd on a matching input field (left.inputField = right.lookupField) and add a fetchField column to the first (left) table. This operator is useful if the input table has numerous columns, which can make it difficult to use a simple join.

Usage Details

LQL Command

lookupOperator(table, inputField, lookupTable, lookupField, fetchField)

Input

table: Input table.
inputField: Column to be matched in the input table.
lookupTable: Name of the lookup table.
lookupField: Column to be matched in the lookup table.
fetchField: Column in lookup table to add to input table.

Output
The output table is the same as input table with an additional column named fetchField. If a fetchField column already exists in the input table the original one is dropped.

Example

Input
table A with (f1, f2, f3) columns,

sourceIP sourcePort destIP destPort
1234

LQL command

B = select f1 as u1, SIZE(f2) + SIZE(f3) as val from A
C = lookupOperator(A,"f1", B, "u1", "val")

-- C should be a table A with additional "val" column

-- The operator should produce the same output as
-- select f1, f2, f3, val from A join B on A.f1 = B.u1