Re: Populating Lookup using saved search

akshatj2 · ‎08-01-2019

Hi All,

I would like to populate a lookup using savedsearches but condition being the previous entry from the lookup should only be removed if the current search result returns some values. In case the search does not return any value. the lookup should not be changed.

Can anyone help me with the possible solution for the same.

nareshinsvu · ‎08-01-2019

Hope this works. Give a Try

First command:

|from datamodel:"blahblah"| table "your column" | outputlookup your_lookup.csv

Next command: appends only if it finds additional rows in the output

akshatj2 · ‎08-02-2019

We don't want to append the data to any of the old lookup, it should be a new lookup created when the search returns any results.

nareshinsvu · ‎08-04-2019

So, you can use a new name in your command? But this will create numerous lookup files and very hard for you to manage/housekeep. Mate - what is your exact requirement?

richgalloway · ‎08-01-2019

Do your search then read the existing lookup file using the append=true option. Deduplicate the results and write them back to the lookup file.

---
If this reply helps you, Karma would be appreciated.

akshatj2 · ‎08-01-2019

No, it just search for the events and write it to lookup. We do not append data as it will become very huge with time going forward

richgalloway · ‎08-02-2019

Have a look at the create_empty and override_if_empty options of the outputlookup command to see if they satisfy your requirements.

---
If this reply helps you, Karma would be appreciated.

Populating Lookup using saved search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life