topic How to add a new row to a lookup using a Splunk query? in Splunk Search

How to add a new row to a lookup using a Splunk query?

agentsofshield — Tue, 12 Mar 2019 08:45:16 GMT

Is there a Splunk query to add a new row or a new column to a lookup table?

I specifically ask for a query because I want my Python script to append rows automatically.

Thanks.

Re: How to add a new row to a lookup using a Splunk query?

vnravikumar — Tue, 12 Mar 2019 08:49:16 GMT

Check this link

https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Outputlookup

Re: How to add a new row to a lookup using a Splunk query?

agentsofshield — Tue, 12 Mar 2019 09:01:49 GMT

Didn't help, can I get the specific example?

Re: How to add a new row to a lookup using a Splunk query?

harsmarvania57 — Tue, 12 Mar 2019 09:33:07 GMT

Hi,

Please try below query (In below query assume that I have single column in CSV with header IP).

<yourBaseSearch>
| eval ip="1.2.3.4"
| fields ip
| outputlookup append=t <existing_lookup.csv>

| inputlookup <existing_lookup.csv>
| append [ makeresults | eval ip="1.2.3.4"]
| fields ip
| outputlookup <existing_lookup.csv>

EDIT: Updated query so only ip field will be added/updated in CSV lookup.

Re: How to add a new row to a lookup using a Splunk query?

vnravikumar — Tue, 12 Mar 2019 09:38:13 GMT

Try with outputlookup command

ex:

|makeresults |eval id=3,name="test3" | outputlookup append=true samplelookup

Re: How to add a new row to a lookup using a Splunk query?

nickhills — Tue, 12 Mar 2019 09:39:41 GMT

One approach, which I find most robust is:

1.) Open your original lookup.
2.) Table your new row
3.) Dedup (if necessary)
4.) Write the updated lookup

 [your search which produces results of 1 or more rows]
| inputlookup append=true mylookup.csv
|table field_id, field_a, field_b
|dedup field_id
|outputlookup mylookup.csv

Using this method you can add both rows and columns if needed by including them in the table command. This will load the 'old copy' of the file, and re-write the file with all the rows/columns present in the table.

Re: How to add a new row to a lookup using a Splunk query?

agentsofshield — Tue, 12 Mar 2019 12:30:25 GMT

How do I "make results"?

Re: How to add a new row to a lookup using a Splunk query?

agentsofshield — Tue, 12 Mar 2019 12:31:12 GMT

But I'm not taking my new values from a Splunk search. It's from a Python script. How do I just put specific values in the lookup?

Re: How to add a new row to a lookup using a Splunk query?

harsmarvania57 — Tue, 12 Mar 2019 12:53:07 GMT

As you are using python so first create splunk query using python, if you want to add more results then you can do something like this while creating query.

Create variable called ip and with all values delimited with semicolon so something like this ip="3.4.5.6;10.10.0.1" and then use below splunk query

| inputlookup <existing_lookup.csv>
| append [ makeresults | eval ip="3.4.5.6;10.10.0.1" ]
| table ip
| eval ip=split(ip,";")
| mvexpand ip
| dedup ip
| outputlookup <existing_lookup.csv>

and then fire above query in splunk using python script.

Re: How to add a new row to a lookup using a Splunk query?

nickhills — Tue, 12 Mar 2019 13:17:54 GMT

A python script running outside of splunk?
If so, you just need to configure the script to write a new line (and optionally a header if you're adding new cols) to the csv in the lookups directory, but you will want to include error handling etc to make sure you don't trash the original file.