https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613412#M213186 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248885">@spadler</a>,</P><P>the searches in both report and add lookup I suppose are the same.</P><P>So you could run your search in an alert, sending the csv as attachment and adding at the end of the search the outputlookup command that saves the search results in a lookup.</P><P>In this way you have with one search both the lookup and the attachement because the outputlookup doesn't change the results to send as alert attachement.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Sep 2022 13:44:04 GMT gcusello 2022-09-16T13:44:04Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613409#M213184 <P>I was asked to archive search results in a CSV then send those results periodically by email. My solution is to do this in 2 reports. The first report runs the search and appends the results to a lookup. The second just grabs the entire lookup (| inputlookup my_lookup.csv) then emails the results as a CSV.&nbsp;</P> <P>This seems to work fine but I feel like there should be a more elegant solution, like in only one search/report. I'm curious about what others think.&nbsp;</P> Fri, 16 Sep 2022 14:51:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613409#M213184 spadler 2022-09-16T14:51:18Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613412#M213186 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248885">@spadler</a>,</P><P>the searches in both report and add lookup I suppose are the same.</P><P>So you could run your search in an alert, sending the csv as attachment and adding at the end of the search the outputlookup command that saves the search results in a lookup.</P><P>In this way you have with one search both the lookup and the attachement because the outputlookup doesn't change the results to send as alert attachement.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Sep 2022 13:44:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613412#M213186 gcusello 2022-09-16T13:44:04Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613413#M213187 <P>hi,</P><P>This sounds like a working solution. Me personally would first try to create an alert instead of report and set the trigger to "send email" there you can select "attach CSV".. should do the same with one object to maintain.</P><P>best regards,</P><P>Andreas</P> Fri, 16 Sep 2022 13:45:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613413#M213187 schose 2022-09-16T13:45:12Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613436#M213197 <P>I tried your suggestion with the following in an alert. While it performs the search, updates the lookup, and sends the lookup CSV by email, it overwrites the lookup data. I need it to append the latest search results to the lookup, then send the updated CSV by email.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">MY_SEARCH |timechart span=10m count BY status | outputlookup my_lookup.csv</LI-CODE><P>&nbsp;</P> Fri, 16 Sep 2022 15:22:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613436#M213197 spadler 2022-09-16T15:22:20Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613438#M213198 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248885">@spadler</a>,</P><P>please try this:</P><LI-CODE lang="markup">MY_SEARCH | append [ | inputlookup your_lookup.csv | fields _time status count ] | timechart span=10m count BY status | outputlookup my_lookup.csv</LI-CODE><P>Otherwise, the only solution is two different objects.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Sep 2022 15:32:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613438#M213198 gcusello 2022-09-16T15:32:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613494#M213219 <P>If you have outbound mail setup you can use&nbsp;<EM>|sendmail</EM> after the outputlookup. This this works for me, and Im able to receive csv files attached that were produced by the outputlookup:</P><LI-CODE lang="markup">mysearch | outputlookup mylookup.csv | sendmail to="abc@xyz.com" sendcsv=true</LI-CODE><P>See these docs:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Sendemail" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Sendemail</A></P><P><A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Sendemail" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Sendemail</A></P><P>&nbsp;</P> Sat, 17 Sep 2022 05:45:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-search-results-to-lookup-AND-send-entire-lookup-by/m-p/613494#M213219 nyc_jason 2022-09-17T05:45:42Z