Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Populating Lookup using saved search

akshatj2
Path Finder
‎08-01-2019 02:24 PM

Hi All,

I would like to populate a lookup using savedsearches but condition being the previous entry from the lookup should only be removed if the current search result returns some values. In case the search does not return any value. the lookup should not be changed.

Can anyone help me with the possible solution for the same.

0 Karma
Reply

nareshinsvu
Builder
‎08-01-2019 09:46 PM

Hope this works. Give a Try

First command:

|from datamodel:"blahblah"| table "your column" | outputlookup your_lookup.csv

Next command: appends only if it finds additional rows in the output

|from datamodel:"blahblah"| table "your column" | where NOT [|inputlookup your_lookup.csv ] | outputlookup your_lookup.csv append=true

0 Karma
Reply

akshatj2
Path Finder
‎08-02-2019 02:14 AM

We don't want to append the data to any of the old lookup, it should be a new lookup created when the search returns any results.

0 Karma
Reply

nareshinsvu
Builder
‎08-04-2019 07:07 PM

So, you can use a new name in your command? But this will create numerous lookup files and very hard for you to manage/housekeep. Mate - what is your exact requirement?

|from datamodel:"blahblah"| table "your column" | where NOT [|inputlookup your_lookup.csv ] | outputlookup your_NEW_lookup.csv

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-01-2019 03:46 PM

Do your search then read the existing lookup file using the append=true option. Deduplicate the results and write them back to the lookup file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

akshatj2
Path Finder
‎08-01-2019 04:34 PM

No, it just search for the events and write it to lookup. We do not append data as it will become very huge with time going forward

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2019 06:21 AM

Have a look at the create_empty and override_if_empty options of the outputlookup command to see if they satisfy your requirements.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...