Skip to main content
Sumo Logic

Manage and Update Lookup Tables

Learn how to update, export, and share Lookup Tables.

The page has information about updating, exporting, and sharing Lookup Tables. For information about creating a new Lookup Table, see Create a Lookup Table.

Key facts about Lookup Tables

Before you create or update a Lookup table, note the following.

Size limits

  • Lookup files can be up to 100 MB in size. Note that if the .csv file contains duplicate rows (rows with the same primary key) the duplicate rows will be included in the file size calculation, and apply towards the 100 MB limit.
  • The maximum length for a primary key string field is 1024 characters.
  • The total size of any row cannot be larger than 200 KB.

Reserved Keywords

When you create a Lookup Table schema, note the following requirements:

  • The following strings are reserved (case-insensitive) and should not be used as field names: "pkv", "tid-cid-s", "mt", "tid-sk-1", "tid-sk-2", "tid-sk-3", "tid-sk-4", "tid-sk-5", "tid-sk-6", "tid-sk-7", "tid-sk-8", "tid-sk-9", "tid-sk-10", "tid-sk-11", "tid-sk-12", "tid-sk-13", "tid-sk-14", "tid-sk-15", "tid-sk-16", "tid-sk-17", "tid-sk-18", "tid-sk-19", "tid-sk-20", "_messagetime", "_receipttime", "_sourcecategory", "_sourcehost", "_sourcename", "_source", "_sourceid", "_collector", "_collectorid", "_view", "_index".
  • Field names cannot contain two tilde characters in a row (~~). 
  • Field names are not case-sensitive. For example, you can't have both "Name" and "name" fields.

Update the contents of a lookup table

This section has instructions for updating a lookup table. You can:

  • Merge data—Use this option to update existing rows with new values, or to add new rows to the lookup table. 
  • Replace data—Use this option to completely replace the data in the lookup table with the data in the .csv file. 
  • Delete data—Use this option to remove all the data in the lookup table. 

Merge data into a lookup table

You can use the Merge Data option to update existing lookup tables rows with new values, or to add new rows to a lookup table. 

Before you start, create a .csv file that contains the data you want to merge. Note that:

  • The header of the .csv file must contain the primary key fields, or the merge operation will fail. 
  • If a primary key value in the .csv file matches an existing primary key value in the lookup table, the corresponding row in the table will be overwritten.
  • If a primary key value in the .csv file does not match a primary key value in any row in the table, a new row will be added to the table.
  • Any rows that exist in the lookup table, but not in the .csv file, will remain unchanged.
  • If the first row of the file does not match the fields defined in the table schema, the updates in the file will be discarded, and the lookup table will not be updated.
  • If the .csv file contains additional columns (fields) that aren't defined in the table schema, the additional fields will be dropped during the merge operation. 
  •  If the file doesn't contain one or more columns (fields) that are defined the table schema, the merge operation. will fail. The primary key(s) must be present in the file for the merge to succeed. 

The file should have a .csv extension, and not be larger than 100 MB. The first row of the table should contain the names of the fields defined in the table schema. 

For example:

username,IPAddress,region

  1. Go to the Sumo Logic Library.
  2. Mouse over the lookup table you want to view, and select Edit from the three-dot more options menu.
  3. The edit page for the lookup table appears.
    edit-lookup-table.png
  4. Click Merge Data.
  5. The Merge Lookup Data popup appears.
    merge-lookup-data.png
  6. Click Upload.
  7. Navigate to the .csv file and click Open.
  8. Click Done.

Replace all the rows in a lookup table with new rows

You can use the Replace Data option to completely replace the data in a lookup table with the data in a .csv file.

Before you start, create a .csv file that contains the rows you overwrite the lookup table with.  

The file should have a .csv extension, and not be larger than 100 MB. The first row of the table should contain the names of the fields defined in the table schema. For example:

username,IPAddress,region

  1. Go to the Sumo Logic Library.
  2. Mouse over the lookup table you want to view, and select Edit from the three-dot more options menu.
  3. The edit page for the lookup table appears.
    edit-lookup-table.png
  4. Click Replace Data.
  5. The Replace All Lookup Data popup appears.
    replace-all-lookup-data.png
  6. Click Upload.
  7. Navigate to the .csv file and click Open.
  8. Click Done.

Delete the contents of a lookup table

You can use the Delete Data option to remove all the data in a lookup table.

Follow the steps below to delete all of the contents of a lookup table:

  1. Go to the Sumo Logic Library.
  2. Mouse over the lookup table you want to delete, and select Edit from the three-dot more options menu.
  3. The edit page for the lookup table appears.
    edit-lookup-table.png
  4. Click Delete Data.
  5. You are prompted to confirm that you want to delete the contents of the lookup file.
    delete-lookup-data.png
  6. Enter Delete, and click Delete.

Update a lookup table with the save operator

You can use the save operator to save the results of a Sumo log query to a lookup table you created using the Lookup UI or API. For more information, see save Operator.

Export a lookup table schema

If you want to replicate a lookup table schema in a different folder in the Library, the process is to export it, and then import it into the desired folder. (When you export a lookup table, the data it contains is not exported.) 

  1. Go to the Sumo Logic Library.
  2. Mouse over the lookup table you want to export, and select Export from the three-dot more options menu.
  3. The export popup presents the contents of the lookup table in JSON format.
    export-lookup-table.png
  4. Click Copy to copy the JSON to the clipboard, or Download to download a JSON file.
  5. Click Done
  6. To create new lookup table with the JSON, follow the instructions in Import Content in the Library.

Share a lookup table

You can share a lookup table with other users, a role, or a combination of the two. 

  1. Go to the Sumo Logic Library.
  2. Mouse over the row for a lookup table you want to share, and click the sharing icon towards the right side of the row. You’ll be prompted to enter the user and roles with whom you want to share the table, the level of access you want to grant, and other sharing options. For information about sharing, see Share Content.

Delete a lookup table

Follow the steps below to completely delete a lookup table:

  1. Go to the Sumo Logic Library.
  2. Mouse over the lookup table you want to delete, and select Delete from the three-dot more options menu.

View Lookup Table update status

When you're viewing a Lookup Table in the Library, you can view information about multi-row updates to the table that are queued up or have been recently completed. 

You can toggle your view between Lookup Actions Queue and Lookup Actions History with the icons labeled a and b in the screenshot below, respectively.

lookup-actions-history.png

The notifications include what type of update was initiated and its status.

Types of updates include: 

  • Full Replace. The contents of the  Lookup Table were completely replaced. 
  • Merge Data. The contents of the Lookup Table were updated (if they already existed), or additional rows were appended (if they didn't already exist). No data was deleted.
  • Delete Data. The contents of the current lookup were completely deleted by the user.

The status of an update can be one of the following:

  • Queued. The update operation has been queued but hasn't been completed. 
  • In Progress. The update operation is in progress.  
  • Completed. The update operation was successfully completed.
  • Completed with Warning. The update operation was successful, but there were some warnings.  
  • Error. There was an issue in completing the update operation.