Solved: How to I save my search query output as a lookup ?

zacksoft · ‎10-08-2020

my search ...
| stats values(something) as nothing
| outputlookup gemini

I wish my query output to be saved in this outlook .
But when I run the above I get error "The Lookup table gemini is invalid".
I think it is asking for lookup definition .. But How do I provide the definition ..when the lookup file is the output of my query ?

ashajambagi · ‎10-08-2020

Hi @zacksoft

You need to add .csv at the end of the file name i.e gemini.csv

View solution in original post

inventsekar · ‎10-08-2020

actually, both "outputlook lookupname" and "outputlook lookupname.csv" works fine. just now i tested it as well.

the documentation says filename must end with .csv or .csv.gz

https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Outputlookup#Examples

but, without csv, it works fine. Last whole week i have this confusion.

on the first example, the documentation also gives the filename without ".csv" extension, but it was referring filename from transform.conf.

EDIT <submitted feedback for this documentation page>

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

ashajambagi · ‎10-08-2020

Hi @zacksoft

You need to add .csv at the end of the file name i.e gemini.csv

How to I save my search query output as a lookup ?

using Splunk Enterprise

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...