You can have a scheduled search that will overwrite the lookup with empty events on a regular basis.
can i delte the last record based on the condition .i.e records count is greater then 30...
Hi.Yannk that was real quick...can you please give me the extact query..i need to the remove the last record from csv file on daily basis...and i want the add the new records from the top to the existing ones..
let's suppose your lookup contains 3 columns (3 fields)
| inputlookup| where (whatever condition to remove or keep lines) | eval (whatever transforms rules you need ) | append [ search sub search to generate new results to add if any | table field1 field2 field3 ] | table field1 field2 field3 | outputlookup
Can you pls give the search query for that ?? say my lookup file Data.csv .. each time i need to delete the last record on the daily basis...how can i do it ??
input the data from the existing lookup (inputlookup)
process the data, remove lines, add new lines
output the data to the lookup (outputlookup)
its deleting all the data..i need the last row to be deleted on daily basis...after creating says 30 rows..how can i do it ?
from a saved search in the same app than the lookup :
* | head 1 | eval _raw="" | table _raw | outputlookup <nameofthelookupcsvfile>
Can you give a sample query pls ??
If you don't know no. of rows in csv file then execute below two queries to delete last row in csv lookup
| inputlookup <lookup_name> | stats count
Now, use the count value in below query::
| inputlookup <lookup_name> | head count-1 | outputlookup <lookup_name>
this work for me, you may try
| inputlookup <lookup_name> | head count=1 | outputlookup <lookup_name>