topic Re: Append Custom Rows to Lookup Table in Splunk Search

Append Custom Rows to Lookup Table

pepper_seattle — Thu, 25 Aug 2016 22:34:21 GMT

I have a lookup table which was created manually in excel and then ported into Splunk as a lookup table via "Add New" lookup files. As I cannot get the results for the lookup by querying in Splunk (information being brought in from elsewhere that isn't logged) I am having trouble figuring out how to add rows as needed.

Question:
Is there a way to add a row to a lookup table when you can't query for the table results outside the lookup itself?

Re: Append Custom Rows to Lookup Table

jconger — Thu, 25 Aug 2016 22:39:37 GMT

You can use the outputlookup command if you want to append results.

Or, there is a really cool lookup editor available here -> https://splunkbase.splunk.com/app/1724/

Re: Append Custom Rows to Lookup Table

pepper_seattle — Thu, 25 Aug 2016 22:55:01 GMT

I know about outputlookup, but I'm not sure how to append a row with custom data. Most examples have you query your data and update tables with the results of the query. If I can't query for my data, then what do I do?

Looking into that tool, thanks for pointing it out!

Re: Append Custom Rows to Lookup Table

jconger — Thu, 25 Aug 2016 23:29:40 GMT

You can do it in search as well. Let's say you have a CSV that was imported that looks like this:

thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"

Then, you can run the following search to view the CSV, append some made up results, dedup the data (by using stats count), and write it all back to the original CSV:

| inputlookup things.csv | append [ | stats count | eval thing=4 | eval color="purple" | eval weight=4.4 ] | stats count by thing color weight | fields - count | output lookup things.csv

After running that search, the CSV looks like this:

thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
4,purple,"4.4"

Re: Append Custom Rows to Lookup Table

pepper_seattle — Fri, 26 Aug 2016 17:14:35 GMT

That worked! Thank you!

Re: Append Custom Rows to Lookup Table

bwlm — Wed, 20 Mar 2019 00:01:55 GMT

Another hack, is you could select one entry from the lookup table, modify the field values with "eval" commands, then append to the original lookup table.

Considering things-table.csv:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"

The following command will lookup the first entry, modify it, then append to the lookup table:
| inputlookup things-table.csv
| search thing=1
| eval thing="4",color="purple",weight="4.4"
| outputlookup append=t things-table.csv

Then "|inputlookup things-table.csv" will have the output:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
4,purple,"4.4"