https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677750#M231750 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Fri, 16 Feb 2024 07:16:26 GMT Muthu_Vinith 2024-02-16T07:16:26Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677643#M231708 <P><SPAN>Hey Experts, I'm new to splunk and I'm trying to create a new lookup from data in a <STRONG>index=abc</STRONG>. Can someone please guide me on how to achieve this? Any help or example queries would be greatly appreciated. Thank You!</SPAN></P> Thu, 15 Feb 2024 11:36:46 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677643#M231708 Muthu_Vinith 2024-02-15T11:36:46Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677646#M231710 <P>Create a search to find the data you want from your index, then use outputlookup to send it to a lookup source.</P> Thu, 15 Feb 2024 12:04:10 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677646#M231710 ITWhisperer 2024-02-15T12:04:10Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677653#M231714 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260613">@Muthu_Vinith</a>,</P><P>you have at first to create the lookup and the lookup definition (don't forget definition!).</P><P>Then you have to define the fields list of the new lookup from the fiels in the index and create a search, and at least create a search ending with the outputlookup command (<A href="https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Outputlookup" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Outputlookup</A>).</P><P>So you can run something like this:</P><LI-CODE lang="markup">index=abc | dedup field1 field2 field3 | sort field1 field2 field3 | table field1 field2 field3 | outputlookup your_lookup.csv</LI-CODE><P>Analyze the options of the outputlookup command to find the ones that you require.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 15 Feb 2024 12:37:32 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677653#M231714 gcusello 2024-02-15T12:37:32Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677707#M231725 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (180).png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29375i6F5FCE0CE25C8017/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot (180).png" alt="Screenshot (180).png" /></span><BR />How to create&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;?</P> Thu, 15 Feb 2024 17:54:07 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677707#M231725 Muthu_Vinith 2024-02-15T17:54:07Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677715#M231729 <P>Click on the Add New link?</P> Thu, 15 Feb 2024 19:02:25 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677715#M231729 ITWhisperer 2024-02-15T19:02:25Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677743#M231747 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260613">@Muthu_Vinith</a>&nbsp;,</P><P>you can use the Splunk Lookup Editor App (&nbsp;<A href="https://splunkbase.splunk.com/app/1724" target="_blank">https://splunkbase.splunk.com/app/1724</A> )to create the lookup.</P><P>To create the Lookup Definition, you can use the second item of the dashboard that you shared.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Feb 2024 05:54:57 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677743#M231747 gcusello 2024-02-16T05:54:57Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677750#M231750 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Fri, 16 Feb 2024 07:16:26 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677750#M231750 Muthu_Vinith 2024-02-16T07:16:26Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677756#M231754 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260613">@Muthu_Vinith</a>&nbsp;,</P><P>good for you, see next time!</P><P>let us know if we can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 16 Feb 2024 08:10:16 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677756#M231754 gcusello 2024-02-16T08:10:16Z https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677933#M231835 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/260613">@Muthu_Vinith</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 18 Feb 2024 06:23:54 GMT https://community.splunk.com/t5/Splunk-Search/Lookup/m-p/677933#M231835 gcusello 2024-02-18T06:23:54Z