I have a lookup table which was created manually in excel and then ported into Splunk as a lookup table via "Add New" lookup files. As I cannot get the results for the lookup by querying in Splunk (information being brought in from elsewhere that isn't logged) I am having trouble figuring out how to add rows as needed.
Question:
Is there a way to add a row to a lookup table when you can't query for the table results outside the lookup itself?
You can use the outputlookup command if you want to append results.
Or, there is a really cool lookup editor available here -> https://splunkbase.splunk.com/app/1724/
You can use the outputlookup command if you want to append results.
Or, there is a really cool lookup editor available here -> https://splunkbase.splunk.com/app/1724/
I know about outputlookup, but I'm not sure how to append a row with custom data. Most examples have you query your data and update tables with the results of the query. If I can't query for my data, then what do I do?
Looking into that tool, thanks for pointing it out!
Another hack, is you could select one entry from the lookup table, modify the field values with "eval" commands, then append to the original lookup table.
Considering things-table.csv:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
The following command will lookup the first entry, modify it, then append to the lookup table:
| inputlookup things-table.csv
| search thing=1
| eval thing="4",color="purple",weight="4.4"
| outputlookup append=t things-table.csv
Then "|inputlookup things-table.csv" will have the output:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
4,purple,"4.4"
You can do it in search as well. Let's say you have a CSV that was imported that looks like this:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
Then, you can run the following search to view the CSV, append some made up results, dedup the data (by using stats count), and write it all back to the original CSV:
| inputlookup things.csv | append [ | stats count | eval thing=4 | eval color="purple" | eval weight=4.4 ] | stats count by thing color weight | fields - count | output lookup things.csv
After running that search, the CSV looks like this:
thing,color,weight
1,blue,"1.1"
2,green,"2.2"
3,red,"3.3"
4,purple,"4.4"
That worked! Thank you!