topic Re: Specify Fields for Outputlookup or Outputcsv in Splunk Search

Specify Fields for Outputlookup or Outputcsv

mattcg — Fri, 13 Aug 2010 03:03:56 GMT

How can I get outputlookup or outputcsv to only include certain fields in the resulting lookup file?

An example explains it better:

SEARCH | DEDUP FieldName1 | FIELDS FieldName1, FieldName2 | OUTPUTLOOKUP lookupFile.csv

I want the resulting lookup file to be formatted with just an entry of "FieldValue1, FieldValue2" per line per result. I do not want the full raw logs in the lookup as it seems to be doing.

Re: Specify Fields for Outputlookup or Outputcsv

ziegfried — Fri, 13 Aug 2010 03:07:17 GMT

<search> | dedup FieldName1 | table FieldName1 FieldName2 | outputlookup mylookup

Re: Specify Fields for Outputlookup or Outputcsv

nick405060 — Thu, 03 Jan 2019 20:24:10 GMT

I downvoted this post because this isn't an elegant solution. I don't want to table my fields before I output because there are other fields that I don't want to output but that I want to keep to do other processing with.

Re: Specify Fields for Outputlookup or Outputcsv

n0vsec — Mon, 28 Sep 2020 17:43:15 GMT

Did you ever find an answer to this? I wanting to do a similar search. I only want to append specific fields to a lookup table, while keeping the rest of the fields for alert automation.

Re: Specify Fields for Outputlookup or Outputcsv

mdorobek — Wed, 07 Feb 2024 08:37:36 GMT

| appendpipe [ | fields x y z | outputlookup lookup ]

Re: Specify Fields for Outputlookup or Outputcsv

n0vsec — Wed, 07 Feb 2024 17:34:06 GMT

This is exactly what I was looking for! One interesting thing I noticed, which I am not sure is a bug or not:

If you run outputlook up and _time is still in the initial pipeline it will output _time to the lookup
- This happens even if you explicitly try to remove using the field command
- A work around would be to rename time, which works but is not ideal

Also to clean this up since this appends to the results of the initial pipeline you will need to follow with a where isnotnull(a), filtering out results on null values that should be present in the appended results.

So the resulting search would be something like:

...initial search... ``` If you don't want _time in your resulting lookup ``` | rename _time as time | convert ctime(time) ``` Select fields for outputing to lookup ``` | appendpipe [| fields a, b, c | outputlookup lookup_file] ``` Remove appended entries by filtering on null fields which should only be present in the appended output ``` | where isnotnull(d)