enrich
Description
The enrich command adds contextual information to logs by performing lookups against a custom enrichment table. It merges additional columns from the lookup into each log document based on a matching key.
This is particularly useful for attaching static metadata (like user details, service mappings, or IP ownership) to incoming logs without modifying upstream systems. The enrichment is applied at query time, meaning you always work with the most recent version of the enrichment table.
Each lookup table must be created and uploaded beforehand as a Custom Enrichment. For setup and management instructions, see Custom Enrichment.
Note
- All values in a lookup table are stored as strings. Use conversion functions such as
toNumber()ortoTimestamp()if a different type is required. - If a log already contains the enriched key,
enrichwill merge or update only the matching sub-keys; unrelated fields remain unchanged.
Syntax
Example
Use case: Attach employee information to a user ID
Suppose your logs contain user IDs, and you maintain an external lookup table with user details such as name and department. You can use enrich to join this contextual data dynamically into your logs, enabling richer queries and more meaningful analysis.
Lookup table (my_users):
| ID | Name | Department |
|---|---|---|
| 111 | John | Finance |
| 222 | Emily | IT |
Example data
Example query
Example output
{
"userid": "111",
"user_enriched": {
"ID": "111",
"Name": "John",
"Department": "Finance"
}
},
{
"userid": "222",
"user_enriched": {
"ID": "222",
"Name": "Emily",
"Department": "IT"
}
}
The enrich command performs a lookup in my_users based on the userid value and attaches the corresponding data as a nested object under user_enriched. This approach ensures logs always reflect the latest lookup information without altering the source data.