pushing data to new csv

kavyamohan — Mon, 14 Oct 2019 10:39:29 GMT

I have a csv where there are 5 columns and the number of rows is 1000. I have indexed that csv as continuous monitoring. If a new row is added into the same csv it should be automatically pushed to new csv which I have created in Splunk. this can be done based on the any calculation. Is this possible?

Re: pushing data to new csv

gcusello — Mon, 14 Oct 2019 11:23:01 GMT

Hikavyamohan,
you have a continuous monitoring, so the new row is read and indexed by Splunk, to add this row to your csv you have two choices:

override the csv with all the results of your search,
add only the new row.

The first choice is the easiest because you have to run your search and use the command outputlookup at the end (see https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Outputlookup ).

The second requires that you filter the results of your search using the existing csv.

Ciao.
Giuseppe

topic Re: pushing data to new csv in Getting Data In

pushing data to new csv

Re: pushing data to new csv