How to push the search query to lookup file

vivek_manoj · ‎03-31-2017

If I write a search query and want to push the search query code to my lookup. Ho to do it??

gehinger · ‎04-03-2017

The query itself won't give you this ability.

However, all queries are stored in the _audit index. So you could search this index for the desired queries and then output the result into a lookup file.

index=_audit action=search

DalJeanis · ‎03-31-2017

is it the code you want to push, or the output?

vivek_manoj · ‎04-03-2017

Yes, I want to push the splunk query code in lookup.

For Example : - index="_internal" and I want to push index="_internal" into the lookup.

adonio · ‎04-03-2017

just throwing out there but if you want to capture the searches, you can go with something like this:
| history | table _time search | outputlookup searches.csv

rjthibod · ‎03-31-2017

The community more details about your queries and lookup in order to be helpful.

Please provide a summary of what is stored in the lookup and what your queries look like.

adonio · ‎03-31-2017

if the results are what youre looking for, just pipe to table and outputlookup. something like that:
my base search | table field1 field2 fieldn | ouputlookup mysearch.csv

How to push the search query to lookup file

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor