https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653086#M225678 <P>append true makes dublicates, is it possible to avoid it?</P><P>maybe any other solution?</P> Thu, 03 Aug 2023 15:41:57 GMT bosseres 2023-08-03T15:41:57Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653071#M225667 <P>Hello, everyone!</P> <P>I have search, which ends in such way</P> <P>...</P> <P><EM>| ta</EM><EM>ble id, name</EM><BR /><EM>| outputlookup my_lookup.csv</EM></P> <P><BR />so my search get such results</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%">id</TD> <TD width="50%">name</TD> </TR> <TR> <TD width="50%">1</TD> <TD width="50%">John</TD> </TR> <TR> <TD width="50%">2</TD> <TD width="50%">Mark</TD> </TR> <TR> <TD width="50%">3</TD> <TD width="50%">James</TD> </TR> </TBODY> </TABLE> <P><BR />Now, I want to record only NEW id's from search&nbsp; to lookup, which weren't there</P> <P>Is it possible to make without reworking search?</P> Thu, 03 Aug 2023 21:06:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653071#M225667 bosseres 2023-08-03T21:06:20Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653073#M225669 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228794">@bosseres</a>,</P><P>you have two choices:</P><UL><LI>fully override the lookup,</LI><LI>add new names.</LI></UL><P>For the second choice, please try this:</P><LI-CODE lang="markup">&lt;your_search&gt; NOT [ | inputlookup my_lookup.csv | fields name ] | table id, name | outputlookup my_lookup.csv append=true</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 03 Aug 2023 14:38:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653073#M225669 gcusello 2023-08-03T14:38:38Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653074#M225670 <P>append=t</P><P>You should remove any results which are already in your lookup.</P> Thu, 03 Aug 2023 14:40:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653074#M225670 ITWhisperer 2023-08-03T14:40:19Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653085#M225677 <P>Ye, I thought about it, but...</P><P>first one choice is not suit to me, because I need to make big time range of search to collect of actual id's.</P><P>about second one I thought, but i am afraid of some id's can be changed, so better to recollect them</P> Thu, 03 Aug 2023 15:41:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653085#M225677 bosseres 2023-08-03T15:41:19Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653086#M225678 <P>append true makes dublicates, is it possible to avoid it?</P><P>maybe any other solution?</P> Thu, 03 Aug 2023 15:41:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653086#M225678 bosseres 2023-08-03T15:41:57Z https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653089#M225679 <P>Yes, as I said, remove the duplicates before the outputlookup.</P><P>It does depend on how you generate the events you want to add to the lookup.</P> Thu, 03 Aug 2023 16:01:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-new-entries-in-lookup/m-p/653089#M225679 ITWhisperer 2023-08-03T16:01:41Z