https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364275#M107519 <P>how can i combine queries to populate a lookup table?<BR /> I have a lookup table with the following values</P> <P>item<BR /><BR /> 1<BR /> 2<BR /> 3<BR /> i'm using the splunk web framework to allow a user to insert an item. if the user enters 3 then item 3 is changed to 4 and item 3 is inserted. the field input_item represents the value entered by the user. i'm using the query below to first renumber item 3 to 4 and to insert item 3 via an appended search. </P> <P>| inputlookup item.csv <BR /> | eval input_item = 3<BR /> | eval itemnumber = if(itemnumber &gt;= input_item, itemnumber +1, itemnumber)<BR /> | fields - input_item<BR /> | outputlookup item.csv<BR /> | append [<BR /> | inputlookup item.csv | stats count as testcount<BR /> | eval input_item =3<BR /> | eval itemnumber = input_item<BR /> | fields - testcount<BR /> | outputlookup item.csv append=true]<BR /> unfortunately, the new item is created with a value of 4 instead of 3.<BR /> is there way to combine these two queries or do i need to create 2 separate queries via 2 separate searches in the search manager?</P> <P>thanks in advance,<BR /> Peter</P> Tue, 29 Sep 2020 17:25:21 GMT pc1234 2020-09-29T17:25:21Z https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364275#M107519 <P>how can i combine queries to populate a lookup table?<BR /> I have a lookup table with the following values</P> <P>item<BR /><BR /> 1<BR /> 2<BR /> 3<BR /> i'm using the splunk web framework to allow a user to insert an item. if the user enters 3 then item 3 is changed to 4 and item 3 is inserted. the field input_item represents the value entered by the user. i'm using the query below to first renumber item 3 to 4 and to insert item 3 via an appended search. </P> <P>| inputlookup item.csv <BR /> | eval input_item = 3<BR /> | eval itemnumber = if(itemnumber &gt;= input_item, itemnumber +1, itemnumber)<BR /> | fields - input_item<BR /> | outputlookup item.csv<BR /> | append [<BR /> | inputlookup item.csv | stats count as testcount<BR /> | eval input_item =3<BR /> | eval itemnumber = input_item<BR /> | fields - testcount<BR /> | outputlookup item.csv append=true]<BR /> unfortunately, the new item is created with a value of 4 instead of 3.<BR /> is there way to combine these two queries or do i need to create 2 separate queries via 2 separate searches in the search manager?</P> <P>thanks in advance,<BR /> Peter</P> Tue, 29 Sep 2020 17:25:21 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364275#M107519 pc1234 2020-09-29T17:25:21Z https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364276#M107520 <P>PC1234, looks like you just want to modify your CSV and add a row to it. I am guessing that the csv gets evaluated once in the query, so try this:</P> <PRE><CODE>| inputlookup item.csv | eval input_item = 3 | eval itemnumber = if(itemnumber &gt;= input_item, itemnumber +1, itemnumber) | append [|makeresults | eval itemnumber = input_item | table itemnumber] | fields - input_item | outputlookup item.csv </CODE></PRE> Fri, 22 Dec 2017 13:32:16 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364276#M107520 MonkeyK 2017-12-22T13:32:16Z https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364277#M107521 <P>FYI, I verified that the lookup is only loaded/evaluated when the search gets parsed by doing this:</P> <PRE><CODE>| makeresults | eval data= "ITEM=1 ;ITEM=2; ITEM=3" | makemv data delim=";" | mvexpand data | rename data as _raw | KV | table ITEM | outputlookup items.csv | append [|inputlookup items.csv] </CODE></PRE> <P>If the lookukp were processed for each reference, I would get two records each for ITEM=1, ITEM=2, ITEM=3<BR /> Instead the results look like:</P> <PRE><CODE>ITEM 1 2 3 </CODE></PRE> <P>Run the same query again and I get:</P> <PRE><CODE>ITEM 1 2 3 1 2 3 </CODE></PRE> Fri, 22 Dec 2017 14:59:45 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364277#M107521 MonkeyK 2017-12-22T14:59:45Z https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364278#M107522 <P>@pc1234 since you are anyways using Splunk Web Framework, this scenario seems to be a valid case for KV Store. So, you should try KV Store in place of Lookup: <A href="http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEZT">http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEZT</A></P> Sat, 23 Dec 2017 17:55:57 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-combine-2-searches-consisting-of-inputlookup-and/m-p/364278#M107522 niketn 2017-12-23T17:55:57Z