https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690948#M235314 <P>I think the OP's&nbsp;test_MID_IP.csv contains <U>test_IP</U>, not <EM>IP</EM>. (Although it doesn't need to be.) &nbsp;It doesn't need <U>count</U>&nbsp;but may (or may not) need <U>MID</U>. &nbsp;Also, &nbsp;the append option is needed for the table preserve all data.</P><LI-CODE lang="markup">index=abc IP!="10.*" [| inputlookup ip_tracking.csv | rename test_DATA AS MID | format ] | lookup test_MID_IP.csv test_IP as IP OUTPUT test_IP | where isnull(test_IP) | dedup IP | rename IP as test_IP | fields test_IP MID ``` omit MID if that's not needed ``` | outputlookup append=true test_MID_IP.csv</LI-CODE><P>&nbsp;</P> Tue, 18 Jun 2024 04:57:19 GMT yuanliu 2024-06-18T04:57:19Z https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690879#M235296 <P>How i update the&nbsp;test_MID_IP.csv&nbsp; with the output IP, so that next time it runs with updated list</P><PRE>index=abc IP!="10.*" [| inputlookup ip_tracking.csv <BR /> | rename test_DATA AS MID | format ] <BR />| lookup test_MID_IP.csv test_IP as IP OUTPUT test_IP <BR />| eval match=if('IP'== test_IP, "yes", "no")<BR />| search match=no <BR />| stats count by IP</PRE> Mon, 17 Jun 2024 12:16:11 GMT https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690879#M235296 RahulMisra1 2024-06-17T12:16:11Z https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690894#M235297 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/267451">@RahulMisra1</a>&nbsp;</P><P>the outputlookup command is used to write the lookup file (we can overwrite or append the lookup file)</P><P>Pls note - this one overwrites the lookup file..&nbsp; if you want to append, pls let us know..&nbsp;</P><LI-CODE lang="markup">index=abc IP!="10.*" [| inputlookup ip_tracking.csv | rename test_DATA AS MID | format ] | lookup test_MID_IP.csv test_IP as IP OUTPUT test_IP | eval match=if('IP'== test_IP, "yes", "no") | search match=no | stats count by IP | outputlookup test_MID_IP.csv</LI-CODE><P>&nbsp;</P> Mon, 17 Jun 2024 12:20:02 GMT https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690894#M235297 inventsekar 2024-06-17T12:20:02Z https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690901#M235299 <P>Thanks. I want to append the IP to the existing lookup&nbsp;</P><PRE>test_MID_IP.csv</PRE> Mon, 17 Jun 2024 12:53:47 GMT https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690901#M235299 RahulMisra1 2024-06-17T12:53:47Z https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690948#M235314 <P>I think the OP's&nbsp;test_MID_IP.csv contains <U>test_IP</U>, not <EM>IP</EM>. (Although it doesn't need to be.) &nbsp;It doesn't need <U>count</U>&nbsp;but may (or may not) need <U>MID</U>. &nbsp;Also, &nbsp;the append option is needed for the table preserve all data.</P><LI-CODE lang="markup">index=abc IP!="10.*" [| inputlookup ip_tracking.csv | rename test_DATA AS MID | format ] | lookup test_MID_IP.csv test_IP as IP OUTPUT test_IP | where isnull(test_IP) | dedup IP | rename IP as test_IP | fields test_IP MID ``` omit MID if that's not needed ``` | outputlookup append=true test_MID_IP.csv</LI-CODE><P>&nbsp;</P> Tue, 18 Jun 2024 04:57:19 GMT https://community.splunk.com/t5/Splunk-Search/Update-Lookup-csv-by-Splunk-Output/m-p/690948#M235314 yuanliu 2024-06-18T04:57:19Z