Lookup files are used to add additional context to data, enabling you to attach or replace fields from events recorded in a repository when searched. Lookup files can also be used to filter data by calling the lookup file in a query function.

To add a lookup file, create or import a CSV (comma-separated value) or JSON file and upload it to the repository or view. The Lookup files page allows for searching to easily find and manage lookup files.

Figure 43. Lookup Files Interface

The files can be used together with query functions to provide lookups and matching using the match() function.

The feature also works with the readFile() function for reading a file which is used as data input for your query.

For information on the different lookup file formats that can be used, see Supported File Types and Formats.

Once uploaded, files are synchronized across all the nodes within the cluster. Depending on the size of the file, and what queries may be being executed, there may be a delay before the updated file is available to queries.

The following operations are available: