Getting Data In

Can we delete the data from lookup file created ??

Motivator

Hi..

I have written a shceduled search which will save my data to a csv file..Is ther any query to delete the data from csv file after a certain period if needed ??

Please help..

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

You can have a scheduled search that will overwrite the lookup with empty events on a regular basis.

0 Karma

Motivator

can i delte the last record based on the condition .i.e records count is greater then 30...

0 Karma

Motivator

Hi.Yannk that was real quick...can you please give me the extact query..i need to the remove the last record from csv file on daily basis...and i want the add the new records from the top to the existing ones..

0 Karma

Splunk Employee
Splunk Employee

let's suppose your lookup contains 3 columns (3 fields)

| inputlookup  
| where (whatever condition to remove or keep lines)
| eval (whatever transforms rules you need )
| append [ search sub search to generate new results to add  if any | table field1 field2 field3 ]  
| table field1 field2 field3 
| outputlookup  
0 Karma

Motivator

Can you pls give the search query for that ?? say my lookup file Data.csv .. each time i need to delete the last record on the daily basis...how can i do it ??

0 Karma

Splunk Employee
Splunk Employee

input the data from the existing lookup (inputlookup)
process the data, remove lines, add new lines
output the data to the lookup (outputlookup)

0 Karma

Motivator

its deleting all the data..i need the last row to be deleted on daily basis...after creating says 30 rows..how can i do it ?

0 Karma

Splunk Employee
Splunk Employee

from a saved search in the same app than the lookup :

* | head 1 | eval _raw="" | table _raw | outputlookup <nameofthelookupcsvfile>

0 Karma

Motivator

Can you give a sample query pls ??

0 Karma