I want to write my results into outputlookup from saved search. but only when new results are there it should append it to mu lookup.which i am failing to do so
query| outputlookup append=true output.csv. This is writing multiple copies of same data into lookup.
quyery|[|inputlookup output.csv |dedup S] |outputlookup output.csv append=true. This isnt working
If field S in output.csv is part of index and sourcetype then you can try below query:
index=index sourcetype=sourcetype NOT [|inputlookup output.csv | dedup S | fields S] | outputlookup output.csv append=true