Skip to main content

Save to Lookup

When you create a scheduled search, you can choose Save to Lookup as the alert type. This way, you can view the search results later in the lookup table. You can use the lookup operator to enrich other log data with information from the lookup table.

Rules

  • The lookup table must already exist before you can use the Save to Lookup option. For instructions, see Create a Lookup Table.
  • Make sure your search returns all of the fields defined in the lookup table schema and no additional fields. Additional fields will be dropped and not saved to the lookup table. If your search returns fewer fields than that defined for the lookup table, any missing fields whose data type is string will be marked as NULL during the save operation. Missing fields of other data types will be dropped. If your search results are missing the primary key, the save operation will fail. 
  • The save operator is not supported. You can only use the save operator to save your search results to a lookup table when you are not doing a scheduled search. See save Search Operator.
  • Updates to a lookup table from a scheduled search will appear in the Lookup Actions History pane that is displayed for lookup table when you open it from the Sumo Logic Library.
  • No more than 512 messages returned by a scheduled search can be saved to a lookup table.

Save the results of scheduled search to a lookup table

  1. Create a log query.
  2. Click the save icon.
    Save search icon
  3. On the Save Item popup, click Schedule this search.
    Save icon
  4. Click in the Run frequency field, and select how frequently you want the search to run. For information, see Schedule a Search
  5. On the Save Item popup:
    1. Send Notification. For information about this option , see Schedule a Search.
    2. Time range and Timezone. For information about this option, see Schedule a Search.
    3. Alert Type. Select Save to Lookup.
    4. Save to Lookup Table. Select the folder that contains the lookup table where you want the search results saved.
    5. Save operation method
      • Full Replace. Choose this option to completely replace the data in the lookup table with the scheduled search results each time the search runs.
      • Merge. Choose this option to update existing lookup tables rows with new values, or to add new rows to a lookup table. 
  6. Click Save.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.