Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Populating Lookup using saved search

akshatj2
Path Finder
‎08-01-2019 02:24 PM

Hi All,

I would like to populate a lookup using savedsearches but condition being the previous entry from the lookup should only be removed if the current search result returns some values. In case the search does not return any value. the lookup should not be changed.

Can anyone help me with the possible solution for the same.

0 Karma
Reply

nareshinsvu
Builder
‎08-01-2019 09:46 PM

Hope this works. Give a Try

First command:

|from datamodel:"blahblah"| table "your column" | outputlookup your_lookup.csv

Next command: appends only if it finds additional rows in the output

|from datamodel:"blahblah"| table "your column" | where NOT [|inputlookup your_lookup.csv ] | outputlookup your_lookup.csv append=true

0 Karma
Reply

akshatj2
Path Finder
‎08-02-2019 02:14 AM

We don't want to append the data to any of the old lookup, it should be a new lookup created when the search returns any results.

0 Karma
Reply

nareshinsvu
Builder
‎08-04-2019 07:07 PM

So, you can use a new name in your command? But this will create numerous lookup files and very hard for you to manage/housekeep. Mate - what is your exact requirement?

|from datamodel:"blahblah"| table "your column" | where NOT [|inputlookup your_lookup.csv ] | outputlookup your_NEW_lookup.csv

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-01-2019 03:46 PM

Do your search then read the existing lookup file using the append=true option. Deduplicate the results and write them back to the lookup file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

akshatj2
Path Finder
‎08-01-2019 04:34 PM

No, it just search for the events and write it to lookup. We do not append data as it will become very huge with time going forward

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2019 06:21 AM

Have a look at the create_empty and override_if_empty options of the outputlookup command to see if they satisfy your requirements.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...