How to append /write only new results to outputloo...

Ashwini008 · ‎03-05-2021

Hi

I want to write my results into outputlookup from saved search. but only when new results are there it should append it to mu lookup.which i am failing to do so

query| outputlookup append=true output.csv. This is writing multiple copies of same data into lookup.

quyery|[|inputlookup output.csv |dedup S] |outputlookup output.csv append=true. This isnt working

Any suggestions

Ashwini008 · ‎03-05-2021

UPDATE :

This worked for me

ITWhisperer · ‎03-05-2021

Try append=false

manjunathmeti · ‎03-05-2021

If field S in output.csv is part of index and sourcetype then you can try below query:

index=index sourcetype=sourcetype NOT [|inputlookup output.csv | dedup S | fields S] | outputlookup output.csv append=true

Ashwini008 · ‎03-05-2021

@ITWhisperer Tried,but still multiple values.

@manjunathmeti My output.csv is empty. So have to write my index data to output.csv.Query is failing at this point,it shows zero results

index=index sourcetype=sourcetype NOT [|inputlookup output.csv | dedup S | fields S]

dm2 · ‎02-26-2024

Hi, I have the same issue but its not working for me..

I first created the lookup and save the search as a report, and then i need to edit my query to append ONLY new values. The current query does not push values at all.

index="rapid7_threat_intelligence" type="Domain"

|table _time, source, type, value

|outputlookup DOMAIN_IOC_ACTIVE.csv append=true

| append [ | inputlookup append=true DOMAIN_IOC_ACTIVE.csv]

| dedup value

How to append /write only new results to outputlookup file

administration

configuration

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies