topic Re: What's the best way to insert a single value into a lookup table without editing a csv in Splunk Search https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313945#M93961 <P>If you want to generate some entry that is not based on a search result, just use the <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Makeresults">makeresults</A> command.</P> <P>That way you can get rid of the index=_audit bit and the duplicate bit. You probably want to keep the table bit to strip the _time field that is generated with the makeresults command.</P> <P>If you're doing this manually, you could also consider installing the <A href="https://splunkbase.splunk.com/app/1724/">lookup editor app</A> (or use the one from Splunk Enterprise Security if you are using that app), such that you can edit lookups through a GUI.</P> Mon, 22 Jan 2018 16:28:56 GMT FrankVl 2018-01-22T16:28:56Z What's the best way to insert a single value into a lookup table without editing a csv https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313943#M93959 <P>Hi Splunkers,</P> <P>To insert a single new value into a lookup table, I've been running something like this: </P> <P><CODE>index=_audit earliest=-10s | eval myfield="foo"<BR /> | dedup myfield<BR /> | table myfield<BR /> | outputlookup append=true mylookup</CODE></P> <P>But it seems clunky. Any other recommendations? I thought of first running <CODE>inputlookup mylookup</CODE>, then exporting, then updating the csv, then reuploading. Is there a better way to do this?</P> <P>I should add that the myfield and foo values have nothing to do with the _audit index. I'm just looking for a way to generate an event so I can eval the field that I need.</P> Mon, 22 Jan 2018 15:09:30 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313943#M93959 grittonc 2018-01-22T15:09:30Z Re: What's the best way to insert a single value into a lookup table without editing a csv https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313944#M93960 <P>You can do like this (assuming myfield is the primary key in the lookup)</P> <PRE><CODE>index=_audit earliest=-10s | eval myfield="foo" | dedup myfield | table myfield | inputlookup mylookup append=t | dedup myfield | outputlookup mylookup </CODE></PRE> <P>Above will add new entries from _audit query OR update (replace) existing entries.</P> Mon, 22 Jan 2018 15:40:35 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313944#M93960 somesoni2 2018-01-22T15:40:35Z Re: What's the best way to insert a single value into a lookup table without editing a csv https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313945#M93961 <P>If you want to generate some entry that is not based on a search result, just use the <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Makeresults">makeresults</A> command.</P> <P>That way you can get rid of the index=_audit bit and the duplicate bit. You probably want to keep the table bit to strip the _time field that is generated with the makeresults command.</P> <P>If you're doing this manually, you could also consider installing the <A href="https://splunkbase.splunk.com/app/1724/">lookup editor app</A> (or use the one from Splunk Enterprise Security if you are using that app), such that you can edit lookups through a GUI.</P> Mon, 22 Jan 2018 16:28:56 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313945#M93961 FrankVl 2018-01-22T16:28:56Z Re: What's the best way to insert a single value into a lookup table without editing a csv https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313946#M93962 <P>if you looking for how to make fake data in Splunk using SPL. Then have a look at this link</P> <P><A href="https://gist.github.com/bshuler/5d0d75ac43ed8f57809fed6b60c4bfca">https://gist.github.com/bshuler/5d0d75ac43ed8f57809fed6b60c4bfca</A></P> <P>let me know if this helps!</P> Mon, 22 Jan 2018 17:32:09 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313946#M93962 mayurr98 2018-01-22T17:32:09Z Re: What's the best way to insert a single value into a lookup table without editing a csv https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313947#M93963 <P>Thanks, but I was trying not to use any index in generating the data. </P> Mon, 09 Jul 2018 18:16:33 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-insert-a-single-value-into-a-lookup-table/m-p/313947#M93963 grittonc 2018-07-09T18:16:33Z