https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-table-using-a-scheduled-search-by/m-p/115909#M30756 <P>Hi,<BR /> I have one scheduled search which saves the output in a file "filename.csv" at specific interval of time.</P> <PRE><CODE>index="myindex"|........|.....|outputlookup filename.csv </CODE></PRE> <P>But what is happening now is that the complete file content is replaced with the new one, hence losing the old data from the file. I want to append the search result to the data already present in filename.csv</P> <P>Please Help...!!!</P> Thu, 21 May 2015 06:38:40 GMT harshal_chakran 2015-05-21T06:38:40Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-table-using-a-scheduled-search-by/m-p/115909#M30756 <P>Hi,<BR /> I have one scheduled search which saves the output in a file "filename.csv" at specific interval of time.</P> <PRE><CODE>index="myindex"|........|.....|outputlookup filename.csv </CODE></PRE> <P>But what is happening now is that the complete file content is replaced with the new one, hence losing the old data from the file. I want to append the search result to the data already present in filename.csv</P> <P>Please Help...!!!</P> Thu, 21 May 2015 06:38:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-table-using-a-scheduled-search-by/m-p/115909#M30756 harshal_chakran 2015-05-21T06:38:40Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-table-using-a-scheduled-search-by/m-p/115910#M30757 <P>You can try something like:</P> <PRE><CODE>|inputlookup filename.csv | append [your new search] | filter the duplicate events if required | outputlookup filename.csv </CODE></PRE> <P>Thanks!!</P> Thu, 21 May 2015 06:43:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-table-using-a-scheduled-search-by/m-p/115910#M30757 vganjare 2015-05-21T06:43:36Z https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-table-using-a-scheduled-search-by/m-p/115911#M30758 <P>As vganjare mentions it would be handy to get an idea of what you are doing with your lookup. At any rate I think what you are looking for is when you do a | lookup somefile.csv you need to put append=true. As an example here is the first of 2 queries used to track systems that stop sending logs. This one tracks the last time a host sent in logs (runs every 4 hrs) and others run every 8 and run a check against the last_seen field. </P> <PRE><CODE>index=foo | eval host=lower(host) | rex field=host "(?&lt;host&gt;(^[^0-9]\S[^\.]+)|(^[0-9]\S+))" | stats max(_time) AS last_seen by host | inputlookup append=T hosts_list.csv | stats max(last_seen) AS last_seen by host | eval right_now = now() | eval time_diff = right_now - last_seen | where time_diff &lt; (86400 * 3) | table host last_seen | outputlookup hosts_list.csv </CODE></PRE> <P>Relative to your question I'm getting results from a query, adding those results to the csv, manipulating the results, and then writing the results back to the csv. The 2 almost back to back stats commands are because once you've appended the results to the existing csv most systems will have 2 lines and I'm only interested in keeping the latest.</P> <P>BTW I do this as a csv because if a system is decommissioned I can simply remove it from the list.</P> Thu, 21 May 2015 11:37:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-update-a-lookup-table-using-a-scheduled-search-by/m-p/115911#M30758 Runals 2015-05-21T11:37:29Z