Splunk Search

CSV lookup only updating 10 entries in the same day.

hrs2019
Path Finder

II am using this lookup for bot status.
I am using the "submit" button to save the status info. (disconnected or connected)

I have added a screenshot:

alt text

| inputlookup status.csv
| append [ makeresults | eval Time= strftime(_time,"%Y-%m-%d %H:%M:%S") 
| eval "DI Name"="I9", "Bot Name"="CD1","Support poc"="sam","Support Team"="IA",Status="disconnected"] 
| top "DI Name" "Bot Name" "Support poc" "Support Team" Status Time 
| table "DI Name" "Bot Name" "Support poc" "Support Team" Status Time   
| outputlookup status.csv  
| head 1
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The top command defaults to 10 results. Try top 10000 "DI Name" "Bot Name" "Support poc" "Support Team" Status Time.

---
If this reply helps you, Karma would be appreciated.
0 Karma

hrs2019
Path Finder

@richgalloway for recent events check i want only the one top event which is submitted recently

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Then you don't want top. top returns the most common events based on the specified field(s). To get the most recent, use head or sort.

---
If this reply helps you, Karma would be appreciated.
0 Karma

hrs2019
Path Finder

Hi Thanks for your reply @richgalloway
no, it is not working after adding 1000 for the top. append lookup is not creating any field more than 10 .
actually I am using this lookup for bot status.
i am using the submit button to save the status info. (disconnected or connected)

i have added the screenshot also

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is the intended purpose of top?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...