Getting Data In

Can we delete the data from lookup file created ??

rakesh_498115
Motivator

Hi..

I have written a shceduled search which will save my data to a csv file..Is ther any query to delete the data from csv file after a certain period if needed ??

Please help..

Tags (2)
0 Karma

yannK
Splunk Employee
Splunk Employee

You can have a scheduled search that will overwrite the lookup with empty events on a regular basis.

0 Karma

rakesh_498115
Motivator

can i delte the last record based on the condition .i.e records count is greater then 30...

0 Karma

rakesh_498115
Motivator

Hi.Yannk that was real quick...can you please give me the extact query..i need to the remove the last record from csv file on daily basis...and i want the add the new records from the top to the existing ones..

0 Karma

yannK
Splunk Employee
Splunk Employee

let's suppose your lookup contains 3 columns (3 fields)

| inputlookup  
| where (whatever condition to remove or keep lines)
| eval (whatever transforms rules you need )
| append [ search sub search to generate new results to add  if any | table field1 field2 field3 ]  
| table field1 field2 field3 
| outputlookup  
0 Karma

rakesh_498115
Motivator

Can you pls give the search query for that ?? say my lookup file Data.csv .. each time i need to delete the last record on the daily basis...how can i do it ??

0 Karma

yannK
Splunk Employee
Splunk Employee

input the data from the existing lookup (inputlookup)
process the data, remove lines, add new lines
output the data to the lookup (outputlookup)

0 Karma

rakesh_498115
Motivator

its deleting all the data..i need the last row to be deleted on daily basis...after creating says 30 rows..how can i do it ?

0 Karma

yannK
Splunk Employee
Splunk Employee

from a saved search in the same app than the lookup :

* | head 1 | eval _raw="" | table _raw | outputlookup <nameofthelookupcsvfile>

rakesh_498115
Motivator

Can you give a sample query pls ??

0 Karma

hardik_d
Engager

If you don't know no. of rows in csv file then execute below two queries to delete last row in csv lookup

| inputlookup <lookup_name> | stats count

Now, use the count value in below query::

| inputlookup <lookup_name> | head count-1 | outputlookup <lookup_name>

 

0 Karma

rahmatn
Path Finder

this work for me, you may try

| inputlookup <lookup_name> | head count=1 | outputlookup <lookup_name>
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...