Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search ingesting data in lookup?

smanojkumar
Communicator
‎06-17-2022 09:59 AM

I would like to know about to add a single field value to outputlookup, as currently there are some fields like id, condition, value is there , but the need is only to ingest condition, Can anyone provide the query for this.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marysan
Communicator
‎06-17-2022 11:32 PM

inputlookup mylookup.csv
|fields condition
|outputlookup mylookup.csv (OR  outputlookup mylookup2.csv)

View solution in original post

Reply
Solved! Jump to solution
Solution

marysan
Communicator
‎06-17-2022 11:32 PM

inputlookup mylookup.csv
|fields condition
|outputlookup mylookup.csv (OR  outputlookup mylookup2.csv)

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-17-2022 01:13 PM

The inputlookup command does have a way to specify which field(s) to return.  You can, however, use the fields command for that.

| inputlookup mylookup.csv | fields condition

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

smanojkumar
Communicator
‎06-17-2022 07:34 PM

Hi @richgalloway ,

    It is kind of storing data in lookup, so for storing data in lookup that should be one field, so that i mentioned outputlookup.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-18-2022 10:15 AM

Thank for that.  You also mentioned "ingest" twice so no wonder I mis-understood.

Lookup files must be updated in their entirety.  You cannot replace a single row or field.  @marysan has the right answer for replacing the entire lookup with a single column.

To be able to updated individual fields in a lookup, use a KVStore collection.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

marysan
Communicator
‎06-18-2022 10:04 PM

Hi

there is some ways to update just one field in a lookup
for example we have a lookup with (IP,reported) fields
if you want to change reported field from 0 to 1 just for a specific IP,for example IP:1.2.3.4 , and you dont want to change other values :
|inputlookup mylookup.csv
|eval reported=if(IP="1.2.3.4",0,reported)
|outputlookup mylookup.csv

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-19-2022 07:02 AM

That is the method for updating a lookup file, but to be clear, the outputlookup command rewrites the entire lookup even if only a single bit is different.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...