https://community.splunk.com/t5/Splunk-Enterprise/How-to-use-outputlookup-and-inputlookup-in-same-dashboard-in/m-p/572434#M10463 <P>Firstly, I wouldn't do it this way - keep the long-term state in a lookup file. In case you have any mistake in your processing, you lose your history. So overwriting blindly your only copy of calculated stats is a bad idea.</P><P>Anyway, I did a simple test - reading from a lookup, modifying the value(s) and writing it back seems to work ok.</P><LI-CODE lang="markup">| inputlookup test.csv | eval field=field+1 | outputlookup test.csv</LI-CODE><P>Repetitive searches like that cause the field value to increase.</P><P>I assume that in your case you'd need something like</P><LI-CODE lang="markup">| inputlokup whatever | append [ your search generating results ] | outputlookup whatever</LI-CODE><P>Keep in mind though that each run of such search would append your lookup contents in this form so you'd have to implement some fancy logic to check whether to add whole next row or just update one of the results and so on. There's no good reason to complicate things that much. I'd just stick to calculating results on the fly and accelerate the report if needed.</P> Tue, 26 Oct 2021 11:40:50 GMT PickleRick 2021-10-26T11:40:50Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-use-outputlookup-and-inputlookup-in-same-dashboard-in/m-p/572420#M10462 <P>Hello Everyone,</P><P>I am in situation where in I will send the results to one lookup file and from there again I need to take tail 2 two rows to display as a summary in my Dashboard. Below is the exact scenario.</P><P>&nbsp;</P><P>I have a search which compares last week and this week data and produces the results something like below.</P><TABLE width="331"><TBODY><TR><TD width="75">Date</TD><TD width="64">Active&nbsp;</TD><TD width="64">Inactive</TD><TD width="64">Deleted</TD><TD width="64">Added</TD></TR><TR><TD>10/25/2021</TD><TD>80</TD><TD>20</TD><TD>10</TD><TD>15</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I need to send the results calculated in above search to one lookup file . Like that I will keep on sending&nbsp; every week. It will be like below after some weeks say 3 weeks.</P><TABLE width="331"><TBODY><TR><TD width="75">Date</TD><TD width="64">Active&nbsp;</TD><TD width="64">Inactive</TD><TD width="64">Deleted</TD><TD width="64">Added</TD></TR><TR><TD>10/25/2021</TD><TD>80</TD><TD>20</TD><TD>10</TD><TD>15</TD></TR><TR><TD>11/1/2021</TD><TD>78</TD><TD>22</TD><TD>8</TD><TD>11</TD></TR><TR><TD>11/8/2021</TD><TD>83</TD><TD>18</TD><TD>9</TD><TD>6</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>so above is the lookup file,&nbsp; then I need to use the the created lookup as input in the same query to perform some calculations (i.e,. I need to take tail 2 and display it as summary of last 2 weeks).</P><P>Tried something like below. But it didn't worked. Could someone help me on this.</P><P>&lt;search &gt; | outputlookup&nbsp; test1.csv | search inputlookup test1.csv | tail 2</P> Tue, 26 Oct 2021 10:35:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-use-outputlookup-and-inputlookup-in-same-dashboard-in/m-p/572420#M10462 Keerthana_18 2021-10-26T10:35:45Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-use-outputlookup-and-inputlookup-in-same-dashboard-in/m-p/572434#M10463 <P>Firstly, I wouldn't do it this way - keep the long-term state in a lookup file. In case you have any mistake in your processing, you lose your history. So overwriting blindly your only copy of calculated stats is a bad idea.</P><P>Anyway, I did a simple test - reading from a lookup, modifying the value(s) and writing it back seems to work ok.</P><LI-CODE lang="markup">| inputlookup test.csv | eval field=field+1 | outputlookup test.csv</LI-CODE><P>Repetitive searches like that cause the field value to increase.</P><P>I assume that in your case you'd need something like</P><LI-CODE lang="markup">| inputlokup whatever | append [ your search generating results ] | outputlookup whatever</LI-CODE><P>Keep in mind though that each run of such search would append your lookup contents in this form so you'd have to implement some fancy logic to check whether to add whole next row or just update one of the results and so on. There's no good reason to complicate things that much. I'd just stick to calculating results on the fly and accelerate the report if needed.</P> Tue, 26 Oct 2021 11:40:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-use-outputlookup-and-inputlookup-in-same-dashboard-in/m-p/572434#M10463 PickleRick 2021-10-26T11:40:50Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-use-outputlookup-and-inputlookup-in-same-dashboard-in/m-p/572449#M10464 <P>OK. It seems more complicated because the test did work (albeit run on a small all-in-one environment) but I wanted to do a one-off modification of a saved lookup and it seems doing an inputlookup then adding some column and saving the lookup file back didn't work. Strange.</P><P>It must have something to do whether I run it on all-in-one or on search head cluster, because it's repeatable - on aio it does work - modifying values, adding columns and so on. On SHC it seems to be not working.</P> Tue, 26 Oct 2021 13:23:52 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-use-outputlookup-and-inputlookup-in-same-dashboard-in/m-p/572449#M10464 PickleRick 2021-10-26T13:23:52Z