https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421843#M6966 <P>No, it just search for the events and write it to lookup. We do not append data as it will become very huge with time going forward</P> Thu, 01 Aug 2019 23:34:44 GMT akshatj2 2019-08-01T23:34:44Z https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421841#M6964 <P>Hi All,</P> <P>I would like to populate a lookup using savedsearches but condition being the previous entry from the lookup should only be removed if the current search result returns some values. In case the search does not return any value. the lookup should not be changed.</P> <P>Can anyone help me with the possible solution for the same.</P> Thu, 01 Aug 2019 21:24:52 GMT https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421841#M6964 akshatj2 2019-08-01T21:24:52Z https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421842#M6965 <P>Do your search then read the existing lookup file using the <CODE>append=true</CODE> option. Deduplicate the results and write them back to the lookup file. </P> Thu, 01 Aug 2019 22:46:00 GMT https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421842#M6965 richgalloway 2019-08-01T22:46:00Z https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421843#M6966 <P>No, it just search for the events and write it to lookup. We do not append data as it will become very huge with time going forward</P> Thu, 01 Aug 2019 23:34:44 GMT https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421843#M6966 akshatj2 2019-08-01T23:34:44Z https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421844#M6967 <P>Hope this works. Give a Try</P> <P>First command:</P> <P>|from datamodel:"blahblah"| table "your column" | outputlookup your_lookup.csv</P> <P>Next command: appends only if it finds additional rows in the output</P> <P>|from datamodel:"blahblah"| table "your column" | where NOT [|inputlookup your_lookup.csv ] | outputlookup your_lookup.csv append=true</P> Wed, 30 Sep 2020 01:33:40 GMT https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421844#M6967 nareshinsvu 2020-09-30T01:33:40Z https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421845#M6968 <P>We don't want to append the data to any of the old lookup, it should be a new lookup created when the search returns any results.</P> Fri, 02 Aug 2019 09:14:05 GMT https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421845#M6968 akshatj2 2019-08-02T09:14:05Z https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421846#M6969 <P>Have a look at the <CODE>create_empty</CODE> and <CODE>override_if_empty</CODE> options of the <CODE>outputlookup</CODE> command to see if they satisfy your requirements.</P> Fri, 02 Aug 2019 13:21:10 GMT https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421846#M6969 richgalloway 2019-08-02T13:21:10Z https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421847#M6970 <P>So, you can use a new name in your command? But this will create numerous lookup files and very hard for you to manage/housekeep. Mate - what is your exact requirement?</P> <P>|from datamodel:"blahblah"| table "your column" | where NOT [|inputlookup your_lookup.csv ] | outputlookup your_NEW_lookup.csv</P> Wed, 30 Sep 2020 01:38:18 GMT https://community.splunk.com/t5/Reporting/Populating-Lookup-using-saved-search/m-p/421847#M6970 nareshinsvu 2020-09-30T01:38:18Z