https://community.splunk.com/t5/Splunk-Search/Update-lookup-file-values-dynamically/m-p/660992#M228209 <P>I have a lookup file.&nbsp; Lookup has "host", "count", "first_event" and "last_event" fields.&nbsp; I want to run a search hourly that will update all the fields with fresh values and in the event that a "host" is not found in the search send an alert.</P><P>Any guidance would be appreciated.</P> Tue, 17 Oct 2023 11:04:28 GMT bt149 2023-10-17T11:04:28Z https://community.splunk.com/t5/Splunk-Search/Update-lookup-file-values-dynamically/m-p/660992#M228209 <P>I have a lookup file.&nbsp; Lookup has "host", "count", "first_event" and "last_event" fields.&nbsp; I want to run a search hourly that will update all the fields with fresh values and in the event that a "host" is not found in the search send an alert.</P><P>Any guidance would be appreciated.</P> Tue, 17 Oct 2023 11:04:28 GMT https://community.splunk.com/t5/Splunk-Search/Update-lookup-file-values-dynamically/m-p/660992#M228209 bt149 2023-10-17T11:04:28Z https://community.splunk.com/t5/Splunk-Search/Update-lookup-file-values-dynamically/m-p/660993#M228210 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242392">@bt149</a>,</P><P>for the lookup population search you could try something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | stats count earliest(_time) AS first_event latest(_time) AS last_event BY host | outputlookup your_lookup.csv</LI-CODE><P>for the alert the fires eventual missing hosts, you could try:</P><LI-CODE lang="markup">&lt;your_search&gt; | stats count BY host | append [ | your_lookup | eval count=0 | fields host count] | stats sum(count) AS count BY host | where count=0</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 17 Oct 2023 11:13:21 GMT https://community.splunk.com/t5/Splunk-Search/Update-lookup-file-values-dynamically/m-p/660993#M228210 gcusello 2023-10-17T11:13:21Z