Splunk Search

'Empty' a csv on a daily basis

timrich66
Path Finder

Hi all,

I have a dashboard where users can add comments to a .csv lookup file.  The comments are only related to the day that they are added.  I would like to be able to clear down the .csv on a daily basis (around midnight).  Is there a way that I can do this using Splunk to keep all the code in one place?

I plan to use the 'collect' command to send the contents to an index prior to removing all the entries in whatever way is possible.

I have tried using outputlookup but only succeeded in writing blank lines to the .csv, not overwriting or removing the contents.

Thanks

Labels (1)
0 Karma

skalliger
SplunkTrust
SplunkTrust

Have you tried using the paramter

 

create_empty=true

 

in your outputlookup command?

 

 

Skalli

timrich66
Path Finder

Hi @skalliger , thanks for the reply.  Yes, I tried this but only managed to create empty lines in the csv.

I have written this search which only returns the entries for 'today'.  A work around for now.

| inputlookup comment.csv
| eval Comment=if(isnull(Comment),New_Note,Comment)
| eval Date=if(isnull(Date),Date_new,Date)
| eval tdate=strftime(now(),"%d/%m/%Y")
| rex field=Date "(?<cdate>\d\d\/\d\d\/\d\d\d\d) "
| table Date, Comment, tdate, cdate
| where tdate=cdate
| table Date, Comment
| sort -Date

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!