Splunk Search

Does outputlookup append or overwrite?

Splunk Employee
Splunk Employee

Does the outputlookup command overwrite or append to the existing specified lookup file? The documentation does not clarify: http://www.splunk.com/base/Documentation/latest/SearchReference/Outputlookup.

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

It will overwrite. If you want to append, you should first do an ... | inputlookup append=true myoldfile, and then probably some kind of dedup depending on the specifics of the lookup, then the outputlookup myoldfile, e.g.,

stats count by host,hostip | fields - count | inputlookup append=true hostiplookup | dedup host | outputlookup hostiplookup

View solution in original post

Path Finder

in my use cases it is better (safer) to export the results as csv (by hand, via the splunk results gui, top right download button) and then use the AWESOME Lookup editor splunk app to manually copy / paste the data i want to append. (i open the csv in excel to copy fields)

granted this is not automated, but it keeps me from making errors or accidentally overwriting prior data in the lookup.

app: https://splunkbase.splunk.com/app/1724/

0 Karma

Splunk Employee
Splunk Employee

It will overwrite. If you want to append, you should first do an ... | inputlookup append=true myoldfile, and then probably some kind of dedup depending on the specifics of the lookup, then the outputlookup myoldfile, e.g.,

stats count by host,hostip | fields - count | inputlookup append=true hostiplookup | dedup host | outputlookup hostiplookup

View solution in original post

Communicator

In splunk 6.x the above did not work until I change | inputlookup x to append [| inputlookup x]. To clarify, this is useful for cases where you want to append data to the csv file without making duplicate "keys". Without the extra dedup, splunk will basically just open the file in append mode ( 'a' ) or write mode ( 'w' ).

0 Karma

Path Finder

I'm not sure if you are aware of this issue(splunk 5), but when I've outputlookup with append=true, I wasn't managed to write more than 1198 new records. This solution make the append=true to be unnecessary and work around this bug. Thanks!

0 Karma

Splunk Employee
Splunk Employee

technically i guess this prepends, not appends, but that's more probably what you want anyway, especially if you're constructing a time-based lookup.

0 Karma

Splunk Employee
Splunk Employee

It will overwrite.

Because of this, the |outputlookup command is well suited to being used in scheduled saved searches, keeping a lookup table up to date with each run.