Splunk Enterprise

How to use outputlookup and inputlookup in same dashboard in same query

Keerthana_18
Explorer

Hello Everyone,

I am in situation where in I will send the results to one lookup file and from there again I need to take tail 2 two rows to display as a summary in my Dashboard. Below is the exact scenario.

 

I have a search which compares last week and this week data and produces the results something like below.

DateActive InactiveDeletedAdded
10/25/202180201015

 

I need to send the results calculated in above search to one lookup file . Like that I will keep on sending  every week. It will be like below after some weeks say 3 weeks.

DateActive InactiveDeletedAdded
10/25/202180201015
11/1/20217822811
11/8/2021831896

 

so above is the lookup file,  then I need to use the the created lookup as input in the same query to perform some calculations (i.e,. I need to take tail 2 and display it as summary of last 2 weeks).

Tried something like below. But it didn't worked. Could someone help me on this.

<search > | outputlookup  test1.csv | search inputlookup test1.csv | tail 2

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Firstly, I wouldn't do it this way - keep the long-term state in a lookup file. In case you have any mistake in your processing, you lose your history. So overwriting blindly your only copy of calculated stats is a bad idea.

Anyway, I did a simple test - reading from a lookup, modifying the value(s) and writing it back seems to work ok.

| inputlookup test.csv
| eval field=field+1
| outputlookup test.csv

Repetitive searches like that cause the field value to increase.

I assume that in your case you'd need something like

| inputlokup whatever
| append [ your search generating results ]
| outputlookup whatever

Keep in mind though that each run of such search would append your lookup contents in this form so you'd have to implement some fancy logic to check whether to add whole next row or just update one of the results and so on. There's no good reason to complicate things that much. I'd just stick to calculating results on the fly and accelerate the report if needed.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. It seems more complicated because the test did work (albeit run on a small all-in-one environment) but I wanted to do a one-off modification of a saved lookup and it seems doing an inputlookup then adding some column and saving the lookup file back didn't work. Strange.

It must have something to do whether I run it on all-in-one or on search head cluster, because it's repeatable - on aio it does work - modifying values, adding columns and so on. On SHC it seems to be not working.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...