Action Type: Lookup File

Security Requirements and Controls

The Lookup File action creates a CSV lookup file from the events and uploads the file to LogScale in the repository/view of the action. The CSV lookup file can then be used in the match() function, among others.

It is recommended to use this action with a search that only returns the fields that are needed as columns in the CSV file. This can, for instance, be achieved by using the select() query function.

For more information about lookup files in LogScale, see Lookup Files.

Configuring Lookup File Action

Figure 259. Configuring Lookup File Action


Parameter Description
Action Name The name provided for the action.
Select existing file If you want to use an existing lookup file for this action, choose Select existing file.
File Name When creating a new lookup file, the file name for the CSV file. Type the name of the new lookup file to create. The file name must include the .csv extension.
File The file name for the CSV file, if you choose Select existing file. Select an existing file from the drop-down list.
Update behavior Choose between the following options:

  • Overwrite contents replaces the contents of the file with the query results each time the action runs.

  • Append results adds the new query results to the existing contents; changed results are not updated. This might result in duplicate rows.

  • Update changed updates the lookup file with changed content and new content each time the action runs based on the key columns selected. When a row's key columns match the query results, LogScale replaces the matching rows. So fields that are not on the updated row will be removed, and new fields may also be added. The rows that do not match will be appended to the existing contents.

Key column selection If Update behavior is Update changed, you must select one or more columns to use as key values on which to match. This functionality works in the same way as the match(), in that if multiple key columns are selected, then all of them must match for the row to be updated. If no rows match the key values, then the content from the query results is appended to the lookup file. Deselect Make case sensitive if you do not require that the match is case sensitive when matching.

Go to Resources and select Files to find the lookup file.

Whenever the action triggers, the file is either appended, updated, or overwritten, depending on your configuration. If your action is configured to overwrite, then the action must receive all events necessary to populate the file, and not just the changes since the action was last triggered. If your action is configured to append, then the action receives all changes since the action was last triggered.

Note that the default file size allowed for lookup files is 200 MB. If the action will update or append the file in such a way that the file size is exceeded then it will fail. You can update the file manually to reduce the file size, create a new lookup file for the action to write to, or change the query to reduce the data populated to the file.