Manage Lookup Files

You can manage all available lookup files in your repository from the web interface.

Lookup Files Interface

Figure 48. Lookup Files Interface


From the table you can:

Update lookup files

Security Requirements and Controls

Sometimes it's necessary to update the content of lookup files. If you are running a trigger with a lookup file action, you can configure the action to update the file automatically based on the results of the trigger.

If you are not updating the lookup file automatically with a trigger as described above, the following methods are available to update lookup files:

  • Update the lookup file from the Resources menu → Lookup files:

    1. Click on the file to update

    2. Update the file as needed: add or remove columns and rows, update contents, and so on.

    3. Click Save

  • Update the lookup file in the Search interface. In this case, you will run the query and then save the results as a lookup file: see Update existing lookup files from the Search page for details.

  • Update the lookup file externally and upload it to LogScale. To do this, export the lookup file and open it in another tool, make the necessary changes, and upload the file again.

Note

If you want the lookup file to be updated, appended, or overwritten by a query in a scheduled search, you must select the lookup file in an action attached to the scheduled search and choose the desired behavior when the query runs. For more information, see Action Type: Lookup File.

Update existing lookup files from the Search page

Available: Update a lookup file from the search interface v1.211.0

Update a lookup file from the search interface is available from version 1.211.0.

When updating an existing file from the Search page, run the query whose results you want to save, then click Save in the Results panel and choose Lookup file.

Select Update existing file and choose the file name from the drop-down.


There are three options in the Update behavior drop-down:

  1. Overwrite contents replaces the contents of the file with the query results.

  2. Update changed will update the changed results based on the key columns selected. When a row's key columns match the query results, LogScale replaces the matching rows. So fields that are not on the updated row will be removed, and new fields may also be added. The rows that do not match will be appended to the existing contents.

    When selecting Update changed, you must select one or more columns in Key column selection on which to attempt to match. This functionality works in the same way as the match(), in that if multiple key columns are selected, then all of them must match for the row to be updated. For example, if hostname is designated as the key column and a device's IP address changes, the system will automatically update to reflect the new IP while maintaining the same hostname. Matches can also be case-sensitive, if necessary. If Match case sensitive is enabled, updates will only occur if the column values match exactly, including uppercase and lowercase characters.

    To select columns, type the name of the column on which to match, or select it from the drop-down list.

    Dialog showing the update lookup file options when called from the Search results. The option to update an existing file is selected and a file is selected. The update behavior selected is Update changed and the column selection drop-down is shown to see which columns can be selected.

    Figure 50. Update lookup file from Search with option Update changed


  3. Append results appends the query results to the existing contents. This can result in duplicate rows.

Click Save once you have made your selection.

Copy lookup file names

Security Requirements and Controls

Available: Copy lookup file names v1.230.0

Copy lookup file names is available from version 1.230.0.

It can be helpful to copy the complete file names of lookup files, so you can use them in building queries that use functions like match(), which need to recall the file name.

There are two ways to copy the name of existing lookup files:

  • Click the Copy file name option from the options menu in the files' overview table

  • Click the copy icon that reveals on hovering over a file name in the files' overview table.

Export lookup files

Security Requirements and Controls

You can export lookup files from LogScale as needed, for example, to augment content in third-party tools where it is easier to manipulate large amounts of data.

To export a file from the overview table, click the menu icon next to the file and select Export:

Management options for each lookup file. You can export, delete, or share the asset.

Figure 51. Lookup file management actions


You can also export the lookup file when the file is open by clicking Export:

Screenshot showing a lookup file that is open with the options at the top of the screen to export or delete a file.

Figure 52. Export file


Delete a lookup file

Security Requirements and Controls

Warning

Deleting a file that is actively used by live queries will stop those queries.

To delete a file click the ⋮ menu icon next to a file in the files' overview table.

You can also delete the lookup file when the file is open by clicking Delete.

Screenshot showing a lookup file that is open with the options at the top of the screen to export or delete a file.

Figure 53. Delete file


Assign permissions for lookup files

Security Requirements and Controls

Sometimes you might want to collaborate with another user on a file, but that user does not have permission to files in the view. If you have permissions to do so, you can grant permissions to that user to edit and delete a particular file in a view. For more information about asset permissions, see Asset permissions.

If you do not have Change user access permission on the repository, you will see a list of users only (no groups) that already have at least Read permissions on the repository. You can select from these users and give them more permissions (up to the same permissions you have).

To grant access to edit or delete a file to another user or group:

Asset creator/Regular user

The creator of an asset and regular users can share the same permissions that they have to the asset with users who already have read access to the view. You cannot share access with users who do not have read access to the view. You cannot share access with groups at all.

  1. Click ⋮ next to the file you want to share and select Asset sharing.

  2. In the Users and groups with access window you see users who currently have access to the file and what access they have.

  3. Click Share file.

  4. Click to select the user to get additional permissions. Note that you can only see users who already have read permission to the view. Click Next.

  5. Select the appropriate permissions to assign the permissions. You can only grant up to the same permissions you have. Click Grant permissions.

You have Change user access permission

With Change user access permission, you can grant permission to users, including read permission if the user does not have that, and permissions that you do not have yourself. You can also see groups and group members and what permissions they have in the Groups tab, but you cannot change the permissions for the group in the Groups tab. To be able to change the permissions directly from the group tab, you must have Change organization permissions permission.

To grant additional permissions to a user that already has read access to the view:

  1. Click ⋮ next to the file you want to share and select Asset sharing.

  2. In the Users and groups with access window you see users and groups who currently have access to the file and what access they have.

  3. Click the button next to the user in the list.

  4. Click to assign the permissions. Click Save changes.

  5. Click Close.

If you have the Change user access permission and you want to share permissions to the file with a user or group not in the list, or you want to give a group that is in the list additional permissions:

  1. Click Share file.

  2. Click to select the group or user who should get additional permissions. Click Next.

  3. Select the appropriate permissions to assign. Be aware of the message that the user or group gets Read access to all assets in the repository automatically when assigning asset permissions for one asset in the repository. Click Next.

  4. Confirm that you understand that you are granting Read access to all assets in the repository by adding the asset permission for the user or group. Click Grant data read access.

  5. Click Grant permissions.