Splunk Search

Append Custom Rows to Lookup Table

pepper_seattle
Path Finder

I have a lookup table which was created manually in excel and then ported into Splunk as a lookup table via "Add New" lookup files. As I cannot get the results for the lookup by querying in Splunk (information being brought in from elsewhere that isn't logged) I am having trouble figuring out how to add rows as needed.

Question:
Is there a way to add a row to a lookup table when you can't query for the table results outside the lookup itself?

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

You can use the outputlookup command if you want to append results.

Or, there is a really cool lookup editor available here -> https://splunkbase.splunk.com/app/1724/

View solution in original post

jconger
Splunk Employee
Splunk Employee

You can use the outputlookup command if you want to append results.

Or, there is a really cool lookup editor available here -> https://splunkbase.splunk.com/app/1724/

pepper_seattle
Path Finder

I know about outputlookup, but I'm not sure how to append a row with custom data. Most examples have you query your data and update tables with the results of the query. If I can't query for my data, then what do I do?

Looking into that tool, thanks for pointing it out!

bwlm
Path Finder

Another hack, is you could select one entry from the lookup table, modify the field values with "eval" commands, then append to the original lookup table.

Considering things-table.csv:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"

The following command will lookup the first entry, modify it, then append to the lookup table:
| inputlookup things-table.csv
| search thing=1
| eval thing="4",color="purple",weight="4.4"
| outputlookup append=t things-table.csv

Then "|inputlookup things-table.csv" will have the output:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
4,purple,"4.4"

0 Karma

jconger
Splunk Employee
Splunk Employee

You can do it in search as well. Let's say you have a CSV that was imported that looks like this:

thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"

Then, you can run the following search to view the CSV, append some made up results, dedup the data (by using stats count), and write it all back to the original CSV:

| inputlookup things.csv | append [ | stats count | eval thing=4 | eval color="purple" | eval weight=4.4 ] | stats count by thing color weight | fields - count | output lookup things.csv

After running that search, the CSV looks like this:

thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
4,purple,"4.4"

pepper_seattle
Path Finder

That worked! Thank you!

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...