-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] PPL LOOKUP Functionality #2651
Comments
@brijos please take a look at this existing PPL correlation API |
PPL Lookup Design ProposalAs implemented in PR 2698 the proposed design (and so far implemented) syntax is: DesignThe The Spark PPL Lookup command implementation is done in separate PR in the opensearch-spark repo: PR 407. Here we can (and need) to implement it as a Syntax
Then we need at least one If more than one If the field has a different name in the current search result use
Examples:
|
+1 for this feature |
Is your feature request related to a problem?
OpenSearch users want an easy way to enrich the data they have stored in OpenSearch and external data sources using content from an OpenSearch index. This is common in security analytics scenarios where one wants to enrich their IP reputation lists, vulnerability databases, or threat feeds.
What solution would you like?
Do a lookup of a field/value, from another log group and use that to convert to user friendly name/error code.
*** Out of Scope ***
What alternatives have you considered?
Performing joins using SQL
Do you have any additional context?
None.
The text was updated successfully, but these errors were encountered: