Splunk Enterprise

How to append /write only new results to outputlookup file

Ashwini008
Builder

Hi 

I want to write my results into outputlookup from saved search. but only when new results are there it should append it to mu lookup.which i am failing to do so

query| outputlookup append=true output.csv. This is writing multiple copies of same data into lookup.

quyery|[|inputlookup output.csv |dedup S] |outputlookup output.csv append=true. This isnt working

Any suggestions

Labels (2)
0 Karma

Ashwini008
Builder

UPDATE :

This worked for me

query | outputlookup output.csv append=true| append[| inputlookup append=true output.csv]| dedup Source | outputlookup output.csv

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try append=false

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

If field S in output.csv is part of index and sourcetype then you can try below query:

index=index sourcetype=sourcetype NOT [|inputlookup output.csv | dedup S | fields S] | outputlookup output.csv append=true
0 Karma

Ashwini008
Builder

@ITWhisperer Tried,but still multiple values.

@manjunathmeti My output.csv is empty. So have to write my index data to output.csv.Query is failing at this point,it shows zero results

index=index sourcetype=sourcetype NOT [|inputlookup output.csv | dedup S | fields S] 

 

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...